Hi Anass, IMHO this can be handled by signing the WS-Addressing headers in the message.
For example in the given scenario, the message from Aclice to Bob will have a "wsa:To" header which will hold the EPR of Bob. (Bob and Charlie are two services hence they have differnt EPRs). If Bob is to send a message to Charlie he will have in include Charlie's EPR in the wsa:To header in his message to Charlie. And he (Bob) will _not_ be able to do this and recompute the signature as Alice. Therefore the attack mentioned can be prevented. Also to prevent replaying of the message Alice can add a wsu:Timestamp and sign the wsu:Timestamp header as well. Thanks, Ruchith On 3/2/06, anass merzak <[EMAIL PROTECTED]> wrote: > hello all, > > I would like to know if wss4j is vulnerable to naive sign and encrypt trick, > because according to > http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html > approximately, if Alice send a signed message to bob, can bob send the same > message to charlie signed with alice signature (that it have receive), > and thus make believe charlie that it is Alice which have send the message > > Also, would like to know youre response to > http://neubia.com/archives/000363.html ,is wss4j immune > against such tricks. > > thank you alot. > > -- > > Anass Merzak > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
