INFO-VAX Sun, 23 Dec 2007 Volume 2007 : Issue 702 Contents: Re: IMAP server security vulnerability Re: IMAP server security vulnerability Re: OT: Merry Christmas to c.o.v. ! Re: OT: Merry Christmas to c.o.v. ! Re: OT: Merry Christmas to c.o.v. ! Re: OT: Merry Christmas to c.o.v. ! ---------------------------------------------------------------------- Date: Sun, 23 Dec 2007 10:34:14 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: IMAP server security vulnerability Message-ID: Richard Maher wrote: > Ok, but can you explain a little more about the > WS-Authorization/Authentication mechanisms involved? I guess I was asking > Jan-Erik which method his SOAP implementation was using to pass > Client-Authorization so that we could at least have a real world SOAP > example. (Anyone been able to find examples on the HP/VMS site?) Here is one XML/SOAP example : http://api.tradera.com/v1/restrictedservice.asmx?op=GetItem Note the "AuthenticationHeader" (identifying the client app) and the "AuthorizationHeader" (identifying the "user"). And don't ask me about it, it's not my design. Jan-Erik. ------------------------------ Date: Sun, 23 Dec 2007 13:26:17 -0500 From: =?ISO-8859-1?Q?Arne_Vajh=F8j?= Subject: Re: IMAP server security vulnerability Message-ID: <476ea845$0$90272$14726298@news.sunsite.dk> Richard Maher wrote: > And for those of you who like VMS Auditing; how do you feel about the > Server's username being logged against the audit logs for failed access > attempts rather than the Client's username? Since login is generally not required and in web context the users usually do not have an account on the server then the servers username is often what is available. > Or wouldn't it be nice to have a > trigger on an Rdb database table that could log the table access into an > auditing table using the Session User Intrinsic rather than the System User? If users are logged in, then for static content the access log will have the info, and for dynamic content you can do whatever you want. >> If it is web yes. > > Not necessarily! If it is HTTP. >> HTTPS for transport encryption and a oldfashioned username/password >> is common. > > How is the username/password presented to the web-service? (In the > wsse:token stuff, or plucked out of the URL, or passed as parameters?) As arguments to a login call. >> If you are to the advanced stuff you use WS-S, which is signing and >> encryption at the message level instead of at the transport level. > > Ok, but can you explain a little more about the > WS-Authorization/Authentication mechanisms involved? WS-S basically normalize the XML and sign/encrypt it using private-public keys. Caller can be authenticated that way. Authorization has to be build into the service. > I guess I was asking > Jan-Erik which method his SOAP implementation was using to pass > Client-Authorization so that we could at least have a real world SOAP > example. I don't think I know a public web service that uses WS-S. The situations where it is used are usually "very non-public". > The gSOAP site says that gSOAP supports WS-Security and unless Jan-Erik's > client doesn't request much except read-only Google-maps or "Give me the > weather forcast" stuff, I'm guessing that the target of his SOAP-call would > want to validate that a) the client is who he says he is, and b) that he's > authorized to perform the requested action on the requested data. I, for > one, am very interested in the codepath for how this is being achieved! WS-S provides #a but not #b. > Do you have to pass authorization for each SOAP call, or are you aiming for > a Single-Sign-on mechanism like SAML? The term "Security Interceptors" > sounds interesting also. You can use WS-S with SAML and other. But basic WS-S is just signing the message with the callers private key and the server checking with the public key. I have never worked with SAML, so I can not comment on the authorization part. There are several other WS-something specs that may be relevant. > Who is your "Identity Provider"? How much does it cost? How long do the > identities live? How do you prevent Identity-Hijacking a la mode de > JavaScript Session-Hijacking? How could one integrate the Identity-providers > "Identity" with our VMS Usernames? A lot of the SOAP stuff is system-system oriented and do not use sophisticated identity stuff. And I have never heard about a "SYSUAF based" identity system. > How many of you are working on, or have even seen (website please), an > application that combines update functionality (not > news/sports/weather-aggregators or language translators) from two or more > disparate, heterogenous SOAP servers and RPCs? WS-AT? "Business Activity" > transactions? BEA got a debit/credit thing happening with OracleiAS > somewhere? I have seen a lot of SOAP stuff. None that are public available. As I said earlier, then the interesting stuff is usually not public. I have not had to work with transaction WS standards - yet. > SOAP by OASIS - talk about a horse designed by commitee :-( SOAP is a W3C standard not an OASIS standard. (but OASIS do a lot of the other WS standards mentioned) Arne ------------------------------ Date: Sun, 23 Dec 2007 14:45:52 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: OT: Merry Christmas to c.o.v. ! Message-ID: In article <476DB861.6010004@comcast.net>, "Richard B. Gilbert" writes: >{...snip...} > >If you already knew, why did you imply that you needed to know? The point is that the equinoxes and solstices vary; the 25th of December does not. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" http://tmesis.com/drat.html ------------------------------ Date: Sun, 23 Dec 2007 10:26:39 -0500 From: JF Mezei Subject: Re: OT: Merry Christmas to c.o.v. ! Message-ID: <476e7e5f$0$25326$c3e8da3@news.astraweb.com> VAXman- @SendSpamHere.ORG wrote: > The point is that the equinoxes and solstices vary; the 25th of December > does not. And December 25th is also a huge day for physicists since it proves it is possible to travel faster than the speed of light (and have almost instaneous acceleration and deceleration). The sleigh santa uses to deliver the gifts to every kid around the world in 24 hours doesn't have 2 skis under it, they are 2 warp drive nacelles... the raindeer are just for decoration. ------------------------------ Date: Sun, 23 Dec 2007 15:54:00 -0000 From: "David Biddulph" Subject: Re: OT: Merry Christmas to c.o.v. ! Message-ID: "JF Mezei" wrote in message news:476e7e5f$0$25326$c3e8da3@news.astraweb.com... > VAXman- @SendSpamHere.ORG wrote: >> The point is that the equinoxes and solstices vary; the 25th of December >> does not. > > And December 25th is also a huge day for physicists since it proves it > is possible to travel faster than the speed of light (and have almost > instaneous acceleration and deceleration). The sleigh santa uses to > deliver the gifts to every kid around the world in 24 hours doesn't > have 2 skis under it, they are 2 warp drive nacelles... the raindeer are > just for decoration. But Swedish engineers have decided that Santa would do better if he relocated from the North Pole to Kyrgyzstan: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/23/nxmas223.xml :-) -- David Biddulph ------------------------------ Date: Sun, 23 Dec 2007 16:38:31 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: OT: Merry Christmas to c.o.v. ! Message-ID: In article <476e7e5f$0$25326$c3e8da3@news.astraweb.com>, JF Mezei writes: >VAXman- @SendSpamHere.ORG wrote: >> The point is that the equinoxes and solstices vary; the 25th of December >> does not. > >And December 25th is also a huge day for physicists since it proves it >is possible to travel faster than the speed of light (and have almost >instaneous acceleration and deceleration). The sleigh santa uses to >deliver the gifts to every kid around the world in 24 hours doesn't >have 2 skis under it, they are 2 warp drive nacelles... the raindeer are >just for decoration. Unfortunately that isn't enough. Santa has to get off his sleigh and climb down all those chimneys. However he came up with a brilliant solution - Time travel. He'd have a brief break from Christmas day until new years and then on the 2nd January and every subsequent day he would travel back to Christmas eve to deliver the presents. This worked great when he started. Unfortunately the number of children kept on growing and growing so first of all he lost his winter break and then he started falling further behind. He's now coming back to deliver presents for this Xmas eve from the year 3000 or there abouts. He just hopes God doesn't decide to hold the apocalypse since so long as the Universe keeps on going noone not even God can point to any Xmas eve when he won't have delivered the presents but if the Universe were to end he would no longer be able to travel back and hence would have signalled the coming apocalypse years,decades,centuries or millenia in advance because he would have stopped delivering the presents. That would probably annoy God a little. [Santa has a small chance to catch up if the apocalypse doesn't happen and the human race drastically reduces it's population so he could start catching up again but until that happens he is going to fall further and further behind.] (This is a variant of Russell's Tristram Shandy paradox " Tristram Shandy, as we know, took two years writing the history of the first two days of his life, and lamented that, at this rate, material would accumulate faster than he could deal with it, so that he could never come to an end. Now I maintain that, if he had lived forever, and not wearied of his task, then, even if his life had continued as eventfully as it began, no part of his biography would have remained unwritten. This paradox, which I shall show is strictly correlative to the Achilles, may be called for convenience the Tristram Shandy. " which is based on Laurence Sterne's book "The Life and opinions of Tristram Shandy, Gentleman" ) Merry XMAS everyone David Webb Security team leader CCSS Middlesex University ------------------------------ End of INFO-VAX 2007.702 ************************