Jason, Well, you've peaked my interest...
> This method(with digital signatures/encryption) would be more secure > than the Http(s) transport, Really? Any articles on the subject? > Authentication would be near definite > (rather hard to fake), Is there something in the mail protocol that facilitates this? I'd love to see a strong argument for "email is more secure than https"... > the server would not be exposed to the big bad > internet, Hmmm. Email attacks are fairly common. Email is, by definition, a part of the internet. I'm not sure where you're going with this... > and the company's IT guys don't have to set up a VPN to every > outside source that needs to update data in the server. VPNs are bad ;) What's wrong with the tried and true "poking a hole in the firewall" technique? What about https? Is the idea that "they have to have email anyway, so let's just tunnel over that"? Wasn't this same argument used for HTTP tunnelling? - Matt -----Original Message----- From: [EMAIL PROTECTED] [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of Jason Essington Sent: Thursday, November 14, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: Re: [JBoss-dev] jboss.net email transport Hi Matt, Given an instance where a company would place a server on its intranet (behind a firewall that does not allow incoming connections from the internet). Now, If this company wanted to receive periodic updates to some semi-static data (iso country codes for instance) from a source on the internet. This source would need a VPN to get through the companies firewall (major hassle if this source has to update many servers, or if the company needs data updated from many different sources) or it could send a Signed and possibly Encrypted email to a mail account the company has set up for the server. The server checks it's email at a configured interval and processes any soap messages it finds there. The digital signature is used for message verification and authentication, while encryption could be used to protect sensitive parts of the message. The message is processed and it's response (or fault) is returned to the original sender via the mail server. This method(with digital signatures/encryption) would be more secure than the Http(s) transport, Authentication would be near definite (rather hard to fake), the server would not be exposed to the big bad internet, and the company's IT guys don't have to set up a VPN to every outside source that needs to update data in the server. All in all, and email transport with digital signatures and encryption has quite a bit of promise as a secure way to allow data to pass through/around a firewall without too much extra hassle. There would need to be a mechanism for key exchange, but no work on the part of IT. -jason On Thursday, November 14, 2002, at 07:21 AM, Matt Munz wrote: > Jason, > > Just out of curiosity, what would you use this for? > > - Matt > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of > Jason > Essington > Sent: Wednesday, November 13, 2002 5:48 PM > To: [EMAIL PROTECTED] > Subject: [JBoss-dev] jboss.net email transport > > > Hi all > > I have managed to get a fairly crude email transport working in > jboss.net (It is lurking in head). I would appreciate any comments / > design ideas from folks who are interested. > > Check the javadocs in org.jboss.net.axis.mail.MailTransportService to > see how to set it up. > > It will currently process emails with simple soap messages (no > attachments). It requires the content type to be application/soap+xml > with the action attribute set to the desired service. > > i.e. content-type: application/soap+xml; action=SomeService > > The response message is returned to the sender via email. > > Since email doesn't really have any type of authentication framework > the transport will only work with ejb's / ejb methods's that have > unchecked permissions. > > I have been able to sign (DSA) a soap message using apache's > xml-security library and have jboss.net verify the signature (I haven't > submitted this handler yet, as it depends on the apache xml-security > library that would have to be added to the thirdparty libs). > > I think this is the first step to some sort of authentication via email > (and cryptographic authentication by other transports as well). but . . > . > I haven't figured out how to go about trusting a given signature and > mapping it to a Subject. This is where I could use the help of someone > with a better knowledge of jaas and JBossSX than myself. > > Thanks for any feedback > > -jason > > > > ------------------------------------------------------- > This sf.net email is sponsored by: Are you worried about > your web server security? Click here for a FREE Thawte > Apache SSL Guide and answer your Apache SSL security > needs: http://www.gothawte.com/rd523.html > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > ------------------------------------------------------- > This sf.net email is sponsored by: To learn the basics of securing > your web site with SSL, click here to get a FREE TRIAL of a Thawte > Server Certificate: http://www.gothawte.com/rd524.html > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development > > -jason ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
