The cool thing about a signed secure e-mail message is that you get non-repudiation. If at a later time company B tells company A, hey I never sent you a Purchase Order for 1 million widgets.. company A can show them the signed secure e-mail message that they received the PO in. It would be harder to do something like that over http.
Regards, Hiram > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of Matt > Munz > Sent: Thursday, November 14, 2002 10:55 AM > To: [EMAIL PROTECTED] > Subject: RE: [JBoss-dev] jboss.net email transport > > > Jason, > > Well, you've peaked my interest... > > > This method(with digital signatures/encryption) would be more secure > > than the Http(s) transport, > > Really? Any articles on the subject? > > > Authentication would be near definite > > (rather hard to fake), > > Is there something in the mail protocol that facilitates this? > I'd love to > see a strong argument for "email is more secure than https"... > > > the server would not be exposed to the big bad > > internet, > > Hmmm. Email attacks are fairly common. Email is, by definition, > a part of > the internet. I'm not sure where you're going with this... > > > and the company's IT guys don't have to set up a VPN to every > > outside source that needs to update data in the server. > > VPNs are bad ;) What's wrong with the tried and true "poking a > hole in the > firewall" technique? What about https? > > Is the idea that "they have to have email anyway, so let's just > tunnel over > that"? Wasn't this same argument used for HTTP tunnelling? > > - Matt > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of Jason > Essington > Sent: Thursday, November 14, 2002 10:33 AM > To: [EMAIL PROTECTED] > Subject: Re: [JBoss-dev] jboss.net email transport > > > Hi Matt, > > Given an instance where a company would place a server on its intranet > (behind a firewall that does not allow incoming connections from the > internet). > > Now, If this company wanted to receive periodic updates to some > semi-static data (iso country codes for instance) from a source on the > internet. This source would need a VPN to get through the companies > firewall (major hassle if this source has to update many servers, or if > the company needs data updated from many different sources) or it could > send a Signed and possibly Encrypted email to a mail account the > company has set up for the server. The server checks it's email at a > configured interval and processes any soap messages it finds there. The > digital signature is used for message verification and authentication, > while encryption could be used to protect sensitive parts of the > message. The message is processed and it's response (or fault) is > returned to the original sender via the mail server. > > This method(with digital signatures/encryption) would be more secure > than the Http(s) transport, Authentication would be near definite > (rather hard to fake), the server would not be exposed to the big bad > internet, and the company's IT guys don't have to set up a VPN to every > outside source that needs to update data in the server. > > All in all, and email transport with digital signatures and encryption > has quite a bit of promise as a secure way to allow data to pass > through/around a firewall without too much extra hassle. There would > need to be a mechanism for key exchange, but no work on the part of IT. > > -jason > > On Thursday, November 14, 2002, at 07:21 AM, Matt Munz wrote: > > > Jason, > > > > Just out of curiosity, what would you use this for? > > > > - Matt > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:jboss-development-admin@;lists.sourceforge.net]On Behalf Of > > Jason > > Essington > > Sent: Wednesday, November 13, 2002 5:48 PM > > To: [EMAIL PROTECTED] > > Subject: [JBoss-dev] jboss.net email transport > > > > > > Hi all > > > > I have managed to get a fairly crude email transport working in > > jboss.net (It is lurking in head). I would appreciate any comments / > > design ideas from folks who are interested. > > > > Check the javadocs in org.jboss.net.axis.mail.MailTransportService to > > see how to set it up. > > > > It will currently process emails with simple soap messages (no > > attachments). It requires the content type to be application/soap+xml > > with the action attribute set to the desired service. > > > > i.e. content-type: application/soap+xml; action=SomeService > > > > The response message is returned to the sender via email. > > > > Since email doesn't really have any type of authentication framework > > the transport will only work with ejb's / ejb methods's that have > > unchecked permissions. > > > > I have been able to sign (DSA) a soap message using apache's > > xml-security library and have jboss.net verify the signature (I haven't > > submitted this handler yet, as it depends on the apache xml-security > > library that would have to be added to the thirdparty libs). > > > > I think this is the first step to some sort of authentication via email > > (and cryptographic authentication by other transports as well). but . . > > . > > I haven't figured out how to go about trusting a given signature and > > mapping it to a Subject. This is where I could use the help of someone > > with a better knowledge of jaas and JBossSX than myself. > > > > Thanks for any feedback > > > > -jason > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: Are you worried about > > your web server security? Click here for a FREE Thawte > > Apache SSL Guide and answer your Apache SSL security > > needs: http://www.gothawte.com/rd523.html > > _______________________________________________ > > Jboss-development mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: To learn the basics of securing > > your web site with SSL, click here to get a FREE TRIAL of a Thawte > > Server Certificate: http://www.gothawte.com/rd524.html > > _______________________________________________ > > Jboss-development mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > > -jason > > > > ------------------------------------------------------- > This sf.net email is sponsored by: To learn the basics of securing > your web site with SSL, click here to get a FREE TRIAL of a Thawte > Server Certificate: http://www.gothawte.com/rd524.html > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > ------------------------------------------------------- > This sf.net email is sponsored by: To learn the basics of securing > your web site with SSL, click here to get a FREE TRIAL of a Thawte > Server Certificate: http://www.gothawte.com/rd524.html > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development