Re: Minutes of the Web Services Addressing / TAG joint meeting from noah_mendelsohn@us.ibm.com on 2005-03-05 (www-tag@w3.org from March 2005)

From: <noah_mendelsohn@us.ibm.com>
Date: Sat, 5 Mar 2005 18:33:33 -0500
To: Rich Salz <rsalz@datapower.com>
Cc: Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <OF915B0512.006C83FA-ON85256FBB.0080807F@lotus.com>

> There is no way to get end-to-end security on HTTP
> headers.  Put another way, while I can sign a
> wsa:To element, there is no way (at least not
> standard way; there might be a private shcme I
> don't know about) to sign the URL in the POST
> command.

Agreed.  I think what you're giving is an argument not to use a network or 
"underlying protocol" with insecure routing if it doesn't meet your needs. 
 One way or the other, your SOAP message over HTTP is going to have >some< 
request ID, and that's what's actually going to cause the message to be 
delivered.  Depending on where in your own software or in the network you 
fear vulnerabilities, it seems inherent in HTTP and to some degree in IP 
that if someone can change your request ID before the message is 
delivered, they can cause it to be misrouted.   Once that happens, 
signatures in the SOAP messages can protect you from imposters and "men in 
the middle", but they can't cause your original message to be properly 
delivered. 

If the worry is that the message is somehow delivered correctly but the 
request ID is mangled anyway, then one could in principle check it against 
the secure copy in a signed WSA header, I think.

Bottom line:  it seems to me that HTTP is the wrong protocol to use if 
you're worried about attacks on HTTP headers.  Given that we're discussing 
situations where you are using HTTP, I don't see why duplicating the 
delivery address from the WSA header is any worse than getting it from 
anywhere else. 

Given that Rich is a security expert and I'm not, the usual pattern at 
this point in our discussions that he'll politely explain why I've 
completely misunderstood the problem.    I do feel like I'm missing 
something.   Help is definitely appreciated.

Thanks.

Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------








Rich Salz <rsalz@datapower.com>
03/04/2005 10:46 AM

 
        To:     "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>
        cc:     Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" 
<public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
        Subject:        Re: Minutes of the Web Services Addressing / TAG joint meeting


> "underlying" protocol such as HTTP.  Duplication has serious downsides,
> but also some advantages, and may be a reasonable compromise in some
> cases, perhaps this one.

There is no way to get end-to-end security on HTTP headers.  Put another
way, while I can sign a wsa:To element, there is no way (at least not
standard way; there might be a private shcme I don't know about)
to sign the URL in the POST command.

                 /r$
-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

Received on Sunday, 6 March 2005 00:08:52 UTC