RE: Security Question from Hal Lockhart on 2002-08-05 (www-ws-arch@w3.org from August 2002)

From: Hal Lockhart <hal.lockhart@entegrity.com>
Date: Mon, 5 Aug 2002 14:51:33 -0400
To: "'Cutler, Roger (RogerCutler)'" <RogerCutler@ChevronTexaco.com>, www-ws-arch@w3.org
Message-ID: <899128A30EEDD1118FC900A0C9C74A34010341BC@bigbird.gradient.com>

You have put your finger on an important issue that has been much discussed
on the PKIX mailing list and other fora that attract security professionals,
but not much in application circles. To summarize it in my own words:
security mechanisms can protect the integrity and confidentiality of data
traversing untrusted networks, but this does not help unless there is
agreement on informaiton semantics.
 
The case much discussed in digital signature circles is: what does it mean
when you digitally sign a document. In some contexts, you might want it to
mean, "I agree to be bound by this contract." In others, it might simply
mean "here is my latest draft, you can be sure it was not altered in
transit." Or even "here is something interesting I found on the Internet,
which you can tell is not SPAM because it comes from me."
 
The general consensus is it is important to be as explicit as possible when
legal or financial issues are at stake. In your example, if ordering goods
or services, it would be best to avoid depending on a default value or any
other potentially ambigious construct. Perhaps if the schema was maintained
in a public place, such as an industry consortium that developed the schema,
you could eventually prove what the default was "supposed to be", but why
not avoid the hassle in the first place? Ideally, signed transactions should
stand on their own and not require reference to other information that is
not protected or can be changed asynchronously.
 
Hal

-----Original Message-----
From: Cutler, Roger (RogerCutler) [mailto:RogerCutler@ChevronTexaco.com]
Sent: Monday, August 05, 2002 2:18 PM
To: www-ws-arch@w3.org
Subject: Security Question



I've got a question about security that may reflect some misconception on my
part -- but here goes anyway: 

I think that the XML payload of the response from a web service -- or indeed
I suppose the message that invokes it -- may be validated by a schema.  If
so, that schema can add data via defaults and/or fixed values.  How is this
secured?

Let me be more specific with a contrived example:  Suppose we are purchasing
widgets via a web service and in the XML document you specify "1" for the
amount to purchase.  However, suppose the schema has a default value of
"Each" that explains the meaning of the "1".  Now suppose that either from
malicious tampering or through the use of a schema intended for a different
audience that default (which is on the seller side) is changed to "dozen".
Now the "1" really means 12 items, which is a lot more expensive.

This is obviously contrived and dumb, but I think it illustrates the fact
that schemas can affect data. 

So how is this secured?  Can the buyer in the context of the message
unambiguously specify what schema must be used for validation and have some
sort of check that it was the right one?  Can it be secured?

Received on Monday, 5 August 2002 14:53:20 UTC