xml-rpc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Wilson" <...@wilson.co.uk>
Subject Re: recent patches
Date Sat, 21 Sep 2002 16:49:42 GMT

----- Original Message -----
From: <arh14@cornell.edu>
To: <rpc-dev@xml.apache.org>
Sent: Friday, September 13, 2002 8:24 PM
Subject: Re: recent patches


[snip]

> Now say I want to actually encrypt the XML-RPC request by the Kerberos
> session key, which is obtained through the contextual info I pass.  Now
> you see a catch-22: I cannot encrypt the XML-RPC request if it contains
> the contextual info because the contextual info is needed to decrypt
> the request in the first place!

The XML Encryptions standard provides for encryption of only parts of an XML
document. The standard XML way of solving the problem you describe is to
encrypt the payload but not the envelope and the sign the entire document.

Now SOAP has envelope/payload parts and XML-RPC does not. It's not at all
hard to "simulate" an envelope in XML-RPC - The payload becomes a struct
with a string member being the method name and an array member being the
parameters. The call is made to a transcoding method which takes the payload
struct as one paramenter and another struct being the envelope.

This seems to me to be infinatly preferable to using out of band data like
headers.

(in your example - how can you detect if the headers have been tampered
with?)

John Wilson
The Wilson Partnership
http://www.wilson.co.uk



Mime
View raw message