INFO-VAX Sun, 23 Dec 2007 Volume 2007 : Issue 702
Contents:
Re: IMAP server security vulnerability
Re: IMAP server security vulnerability
Re: OT: Merry Christmas to c.o.v. !
Re: OT: Merry Christmas to c.o.v. !
Re: OT: Merry Christmas to c.o.v. !
Re: OT: Merry Christmas to c.o.v. !
----------------------------------------------------------------------
Date: Sun, 23 Dec 2007 10:34:14 GMT
From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?=
Subject: Re: IMAP server security vulnerability
Message-ID: <GQqbj.1956$R_4.1514@newsb.telia.net>
Richard Maher wrote:
> Ok, but can you explain a little more about the
> WS-Authorization/Authentication mechanisms involved? I guess I was asking
> Jan-Erik which method his SOAP implementation was using to pass
> Client-Authorization so that we could at least have a real world SOAP
> example. (Anyone been able to find examples on the HP/VMS site?)
Here is one XML/SOAP example :
http://api.tradera.com/v1/restrictedservice.asmx?op=GetItem
Note the "AuthenticationHeader" (identifying the client app)
and the "AuthorizationHeader" (identifying the "user").
And don't ask me about it, it's not my design.
Jan-Erik.
------------------------------
Date: Sun, 23 Dec 2007 13:26:17 -0500
From: =?ISO-8859-1?Q?Arne_Vajh=F8j?= <arne@vajhoej.dk>
Subject: Re: IMAP server security vulnerability
Message-ID: <476ea845$0$90272$14726298@news.sunsite.dk>
Richard Maher wrote:
> And for those of you who like VMS Auditing; how do you feel about the
> Server's username being logged against the audit logs for failed access
> attempts rather than the Client's username?
Since login is generally not required and in web context the users
usually do not have an account on the server then the servers username
is often what is available.
> Or wouldn't it be nice to have a
> trigger on an Rdb database table that could log the table access into an
> auditing table using the Session User Intrinsic rather than the System User?
If users are logged in, then for static content the access log will
have the info, and for dynamic content you can do whatever you want.
>> If it is web yes.
>
> Not necessarily!
If it is HTTP.
>> HTTPS for transport encryption and a oldfashioned username/password
>> is common.
>
> How is the username/password presented to the web-service? (In the
> wsse:token stuff, or plucked out of the URL, or passed as parameters?)
As arguments to a login call.
>> If you are to the advanced stuff you use WS-S, which is signing and
>> encryption at the message level instead of at the transport level.
>
> Ok, but can you explain a little more about the
> WS-Authorization/Authentication mechanisms involved?
WS-S basically normalize the XML and sign/encrypt it using
private-public keys.
Caller can be authenticated that way. Authorization has to be
build into the service.
> I guess I was asking
> Jan-Erik which method his SOAP implementation was using to pass
> Client-Authorization so that we could at least have a real world SOAP
> example.
I don't think I know a public web service that uses WS-S. The situations
where it is used are usually "very non-public".
> The gSOAP site says that gSOAP supports WS-Security and unless Jan-Erik's
> client doesn't request much except read-only Google-maps or "Give me the
> weather forcast" stuff, I'm guessing that the target of his SOAP-call would
> want to validate that a) the client is who he says he is, and b) that he's
> authorized to perform the requested action on the requested data. I, for
> one, am very interested in the codepath for how this is being achieved!
WS-S provides #a but not #b.
> Do you have to pass authorization for each SOAP call, or are you aiming for
> a Single-Sign-on mechanism like SAML? The term "Security Interceptors"
> sounds interesting also.
You can use WS-S with SAML and other. But basic WS-S is just signing
the message with the callers private key and the server checking
with the public key. I have never worked with SAML, so I can not
comment on the authorization part. There are several other WS-something
specs that may be relevant.
> Who is your "Identity Provider"? How much does it cost? How long do the
> identities live? How do you prevent Identity-Hijacking a la mode de
> JavaScript Session-Hijacking? How could one integrate the Identity-providers
> "Identity" with our VMS Usernames?
A lot of the SOAP stuff is system-system oriented and do not use
sophisticated identity stuff.
And I have never heard about a "SYSUAF based" identity system.
> How many of you are working on, or have even seen (website please), an
> application that combines update functionality (not
> news/sports/weather-aggregators or language translators) from two or more
> disparate, heterogenous SOAP servers and RPCs? WS-AT? "Business Activity"
> transactions? BEA got a debit/credit thing happening with OracleiAS
> somewhere?
I have seen a lot of SOAP stuff.
None that are public available. As I said earlier, then the interesting
stuff is usually not public.
I have not had to work with transaction WS standards - yet.
> SOAP by OASIS - talk about a horse designed by commitee :-(
SOAP is a W3C standard not an OASIS standard.
(but OASIS do a lot of the other WS standards mentioned)
Arne
------------------------------
Date: Sun, 23 Dec 2007 14:45:52 GMT
From: VAXman- @SendSpamHere.ORG
Subject: Re: OT: Merry Christmas to c.o.v. !
Message-ID: <Awubj.1$cn2.0@newsfe09.lga>
In article <476DB861.6010004@comcast.net>, "Richard B. Gilbert" <rgilbert88@comcast.net> writes:
>{...snip...}
>
>If you already knew, why did you imply that you needed to know?
The point is that the equinoxes and solstices vary; the 25th of December
does not.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
"Well my son, life is like a beanstalk, isn't it?"
http://tmesis.com/drat.html
------------------------------
Date: Sun, 23 Dec 2007 10:26:39 -0500
From: JF Mezei <jfmezei.spamnot@vaxination.ca>
Subject: Re: OT: Merry Christmas to c.o.v. !
Message-ID: <476e7e5f$0$25326$c3e8da3@news.astraweb.com>
VAXman- @SendSpamHere.ORG wrote:
> The point is that the equinoxes and solstices vary; the 25th of December
> does not.
And December 25th is also a huge day for physicists since it proves it
is possible to travel faster than the speed of light (and have almost
instaneous acceleration and deceleration). The sleigh santa uses to
deliver the gifts to every kid around the world in 24 hours doesn't
have 2 skis under it, they are 2 warp drive nacelles... the raindeer are
just for decoration.
------------------------------
Date: Sun, 23 Dec 2007 15:54:00 -0000
From: "David Biddulph" <groups [at] biddulph.org.uk>
Subject: Re: OT: Merry Christmas to c.o.v. !
Message-ID: <c76dnWMJRKQ4GfPanZ2dnUVZ8ternZ2d@bt.com>
"JF Mezei" <jfmezei.spamnot@vaxination.ca> wrote in message
news:476e7e5f$0$25326$c3e8da3@news.astraweb.com...
> VAXman- @SendSpamHere.ORG wrote:
>> The point is that the equinoxes and solstices vary; the 25th of December
>> does not.
>
> And December 25th is also a huge day for physicists since it proves it
> is possible to travel faster than the speed of light (and have almost
> instaneous acceleration and deceleration). The sleigh santa uses to
> deliver the gifts to every kid around the world in 24 hours doesn't
> have 2 skis under it, they are 2 warp drive nacelles... the raindeer are
> just for decoration.
But Swedish engineers have decided that Santa would do better if he
relocated from the North Pole to Kyrgyzstan:
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/23/nxmas223.xml
:-)
--
David Biddulph
------------------------------
Date: Sun, 23 Dec 2007 16:38:31 +0000 (UTC)
From: david20@alpha2.mdx.ac.uk
Subject: Re: OT: Merry Christmas to c.o.v. !
Message-ID: <fkm2u7$54q$1@south.jnrs.ja.net>
In article <476e7e5f$0$25326$c3e8da3@news.astraweb.com>, JF Mezei <jfmezei.spamnot@vaxination.ca> writes:
>VAXman- @SendSpamHere.ORG wrote:
>> The point is that the equinoxes and solstices vary; the 25th of December
>> does not.
>
>And December 25th is also a huge day for physicists since it proves it
>is possible to travel faster than the speed of light (and have almost
>instaneous acceleration and deceleration). The sleigh santa uses to
>deliver the gifts to every kid around the world in 24 hours doesn't
>have 2 skis under it, they are 2 warp drive nacelles... the raindeer are
>just for decoration.
Unfortunately that isn't enough. Santa has to get off his sleigh and climb down
all those chimneys. However he came up with a brilliant solution - Time travel.
He'd have a brief break from Christmas day until new years and then on the 2nd
January and every subsequent day he would travel back to Christmas eve to
deliver the presents. This worked great when he started. Unfortunately the
number of children kept on growing and growing so first of all he lost his
winter break and then he started falling further behind. He's now coming back
to deliver presents for this Xmas eve from the year 3000 or there abouts.
He just hopes God doesn't decide to hold the apocalypse since so long as the
Universe keeps on going noone not even God can point to any Xmas eve when he
won't have delivered the presents but if the Universe were to end he would no
longer be able to travel back and hence would have signalled the coming
apocalypse years,decades,centuries or millenia in advance because he would have
stopped delivering the presents.
That would probably annoy God a little.
[Santa has a small chance to catch up if the apocalypse doesn't happen and
the human race drastically reduces it's population so he could start catching
up again but until that happens he is going to fall further and further
behind.]
(This is a variant of Russell's Tristram Shandy paradox
"
Tristram Shandy, as we know, took two years writing the history of the first
two days of his life, and lamented that, at this rate, material would
accumulate faster than he could deal with it, so that he could never come to an
end. Now I maintain that, if he had lived forever, and not wearied of his task,
then, even if his life had continued as eventfully as it began, no part of his
biography would have remained unwritten. This paradox, which I shall show is
strictly correlative to the Achilles, may be called for convenience the
Tristram Shandy.
"
which is based on Laurence Sterne's book "The Life and opinions of Tristram
Shandy, Gentleman"
)
Merry XMAS everyone
David Webb
Security team leader
CCSS
Middlesex University
------------------------------
End of INFO-VAX 2007.702
************************