> The cool thing about a signed secure e-mail message is that you get > non-repudiation. If at a later time company B tells company A, hey I never > sent you a Purchase Order for 1 million widgets.. company A can show them > the signed secure e-mail message that they received the PO in. It would be > harder to do something like that over http.
Thats not non-repudiation (or at least my understanding of it). Non-repudiation also provides for company B knowing that company A received it so that if company B doesn't fill the PO company A can say "I know you received it". nonetheless signed soap messages do (in theory) fill that hole in SOAP/SMTP ... cheers dim > > Regards, > Hiram > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of Matt > > Munz > > Sent: Thursday, November 14, 2002 10:55 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [JBoss-dev] jboss.net email transport > > > > > > Jason, > > > > Well, you've peaked my interest... > > > > > This method(with digital signatures/encryption) would be more secure > > > than the Http(s) transport, > > > > Really? Any articles on the subject? > > > > > Authentication would be near definite > > > (rather hard to fake), > > > > Is there something in the mail protocol that facilitates this? > > I'd love to > > see a strong argument for "email is more secure than https"... > > > > > the server would not be exposed to the big bad > > > internet, > > > > Hmmm. Email attacks are fairly common. Email is, by definition, > > a part of > > the internet. I'm not sure where you're going with this... > > > > > and the company's IT guys don't have to set up a VPN to every > > > outside source that needs to update data in the server. > > > > VPNs are bad ;) What's wrong with the tried and true "poking a > > hole in the > > firewall" technique? What about https? > > > > Is the idea that "they have to have email anyway, so let's just > > tunnel over > > that"? Wasn't this same argument used for HTTP tunnelling? > > > > - Matt > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of Jason > > Essington > > Sent: Thursday, November 14, 2002 10:33 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [JBoss-dev] jboss.net email transport > > > > > > Hi Matt, > > > > Given an instance where a company would place a server on its intranet > > (behind a firewall that does not allow incoming connections from the > > internet). > > > > Now, If this company wanted to receive periodic updates to some > > semi-static data (iso country codes for instance) from a source on the > > internet. This source would need a VPN to get through the companies > > firewall (major hassle if this source has to update many servers, or if > > the company needs data updated from many different sources) or it could > > send a Signed and possibly Encrypted email to a mail account the > > company has set up for the server. The server checks it's email at a > > configured interval and processes any soap messages it finds there. The > > digital signature is used for message verification and authentication, > > while encryption could be used to protect sensitive parts of the > > message. The message is processed and it's response (or fault) is > > returned to the original sender via the mail server. > > > > This method(with digital signatures/encryption) would be more secure > > than the Http(s) transport, Authentication would be near definite > > (rather hard to fake), the server would not be exposed to the big bad > > internet, and the company's IT guys don't have to set up a VPN to every > > outside source that needs to update data in the server. > > > > All in all, and email transport with digital signatures and encryption > > has quite a bit of promise as a secure way to allow data to pass > > through/around a firewall without too much extra hassle. There would > > need to be a mechanism for key exchange, but no work on the part of IT. > > > > -jason > > > > On Thursday, November 14, 2002, at 07:21 AM, Matt Munz wrote: > > > > > Jason, > > > > > > Just out of curiosity, what would you use this for? > > > > > > - Matt > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of > > > Jason > > > Essington > > > Sent: Wednesday, November 13, 2002 5:48 PM > > > To: [EMAIL PROTECTED] > > > Subject: [JBoss-dev] jboss.net email transport > > > > > > > > > Hi all > > > > > > I have managed to get a fairly crude email transport working in > > > jboss.net (It is lurking in head). I would appreciate any comments / > > > design ideas from folks who are interested. > > > > > > Check the javadocs in org.jboss.net.axis.mail.MailTransportService to > > > see how to set it up. > > > > > > It will currently process emails with simple soap messages (no > > > attachments). It requires the content type to be application/soap+xml > > > with the action attribute set to the desired service. > > > > > > i.e. content-type: application/soap+xml; action=SomeService > > > > > > The response message is returned to the sender via email. > > > > > > Since email doesn't really have any type of authentication framework > > > the transport will only work with ejb's / ejb methods's that have > > > unchecked permissions. > > > > > > I have been able to sign (DSA) a soap message using apache's > > > xml-security library and have jboss.net verify the signature (I haven't > > > submitted this handler yet, as it depends on the apache xml-security > > > library that would have to be added to the thirdparty libs). > > > > > > I think this is the first step to some sort of authentication via email > > > (and cryptographic authentication by other transports as well). but . . > > > . > > > I haven't figured out how to go about trusting a given signature and > > > mapping it to a Subject. This is where I could use the help of someone > > > with a better knowledge of jaas and JBossSX than myself. > > > > > > Thanks for any feedback > > > > > > -jason > > > > > > > > > > > > ------------------------------------------------------- > > > This sf.net email is sponsored by: Are you worried about > > > your web server security? Click here for a FREE Thawte > > > Apache SSL Guide and answer your Apache SSL security > > > needs: http://www.gothawte.com/rd523.html > > > _______________________________________________ > > > Jboss-development mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > > > > > > ------------------------------------------------------- > > > This sf.net email is sponsored by: To learn the basics of securing > > > your web site with SSL, click here to get a FREE TRIAL of a Thawte > > > Server Certificate: http://www.gothawte.com/rd524.html > > > _______________________________________________ > > > Jboss-development mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > > > > > -jason > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: To learn the basics of securing > > your web site with SSL, click here to get a FREE TRIAL of a Thawte > > Server Certificate: http://www.gothawte.com/rd524.html > > _______________________________________________ > > Jboss-development mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: To learn the basics of securing > > your web site with SSL, click here to get a FREE TRIAL of a Thawte > > Server Certificate: http://www.gothawte.com/rd524.html > > _______________________________________________ > > Jboss-development mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > ------------------------------------------------------- > This sf.net email is sponsored by: To learn the basics of securing > your web site with SSL, click here to get a FREE TRIAL of a Thawte > Server Certificate: http://www.gothawte.com/rd524.html > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
