RE: encryption in XML from Philip Hallam-Baker on 2000-08-30 (xml-encryption@w3.org from August 2000)

From: Philip Hallam-Baker <pbaker@verisign.com>
Date: Wed, 30 Aug 2000 09:19:36 -0700
To: "'xml-encryption@w3.org'" <xml-encryption@w3.org>
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F408EC00@vhqpostal.verisign.com>

I would recharacterise the problem.

When you have a signed message you can only trust the bits as signed.
Hence an architecturally secure signature package SHOULD assemble the
bit stream for the digest function, send it to the verifier AND THEN
REPARSE THE BIT STREAM.

Its the type of defensive coding that most folk are not prepared to do
because it is unnecessary IFF the code is correct... Yeah, right...


With S/MIME there is a structural problem that only a part of the mail
message is actually signed. Not only is there possibly important but
unsigned information in the To: field, but the subject field is also
unsigned (and unencrypted).

Consider the following messages:

From: Alice
Subject: Look out, promotion opportunity!
Mallet got fired today.

From: Alice
Subject: Look out, you could be next!
Mallet got fired today.


Or on the confidentiality side:

From: Legal
Subject: CONFIDENTIAL: Probability of appeals court success is low
a.3w4958e4toi.aw74tt97a4w274oa3yu4t6734qa4327hf894
aw4aw459iuaw4p8eutawoiu4j5073460897==


I think it is a problem with the S/MIME spec rather than the structural
CMS issue suggested. S/MIME provides good payload security but as with
PGP the integration to the SMTP message transport is lousy.

Sign (Alice,  Encrypt (Bob,  "From: alice To: bob Subject: hello Body:
Hello world"))
is just as good as 
Encrypt ( Bob, Sign (Alice,  "From: alice To: Bob Subject: hello Body:
Hello world"))

The problem comes with 

From: alice Subject: hello Body: Encrypt (Bob,  Sign (Alice,  "Body:
Hello world"))
and the different but equally broken
From: alice Subject: hello Body: Sign ( Alice, Encrypt (Bob,  "Body:
Hello world"))


The need to secure headers is just one of those things that you can
spend as long as you like arguing the case but nobody is going to take
any notice until there is a compromise.


With XML security I would see the prime use for these protocols to be to
secure message sets that will be written for the purpose.

	Phill


Phillip Hallam-Baker
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227

Received on Wednesday, 30 August 2000 12:24:53 UTC