RE: [ebxml-dev] Hermes1: Howto configure Persistent Confidentiality?

["David RR Webber \(XML\)" <david@drrw.info>]

Albert,

 

Google turns up some insightful links - I searched on -

 

 xml encryption persistent confidentiality

 

It does indeed seem that the specifications cover off much on this topic.

 

This one especially good and instructive -

http://webservices.xml.com/lpt/a/ws/2003/03/18/ebxml.html

 

and

 

http://www.moda-ml.org/moda-ml/imple/sicurezza/MODAMLSecurity3.asp?lingua=en 

 

Also - I noticed Adobe have this briefing -

http://www.adobe.com/government/pdfs/govt_infrastructure_sb.pdf 

 

Not sure what your use case is but having a PDF as the payload also seems an excellent option?

 

In various email exchanges in 2001/2003 Chris Ferris worries about MIHM attacks and the SOAP/MIME header not being encrypted.  However - while in theory - practice and theory are the same - in practice they are not!

 

Chris raises too many "maybe's" as potential critical flaws - when in fact very few people if any will encounter such conditions he postulates.

 

In reality - Hermes users are doing point-to-point SSL with certificate exchanges - where the end-points are specified in the CPA - that's how we're using Hermes.  So for us we could implement the signed encrypted portion of the message as a simple binary attachment - which Hermes already does - and then use the decryption on the other end. 

 

Even if someone in a multiple partner scenario did manage to somehow divert a payload - as Chris was speculating - without the decryption keys - all they have is a binary attachment!  And again in reality - any multi-partner scenarios I've seen - are with trusted partners - not unknown untrusted third parties!

 

So - Albert - I would suggest implementing this in your XML message and using binary attachments.  Hermes will SOAP package those pieces for you and send them as normally - and you can add the extra XML signature handling logic in the data handlers that Hermes allows you to configure.

 

DW

"The way to be is to do" - Confucius (551-472 B.C.)

-------- Original Message --------
Subject: [ebxml-dev] Hermes1: Howto configure Persistent
Confidentiality?
From: "Kappe, Albert" <albert.kappe@capgemini.com>
Date: Thu, December 14, 2006 9:44 am
To: <ebxml-dev@lists.ebxml.org>

Hello,

Does Hermes1 support Persistent Confidentiality for ebXML Payload Containers using XML Encryption?

If yes, I could appreciate any help on implementing XML Encryption for Hermes1.

Regards, Albert Kappe

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.