[CAP] CAP Security Using Digital Signatures

Art Botterell acb at incident.com
Wed Mar 11 20:20:14 PDT 2009 

Friends -

We're moving rapidly toward an important threshold in CAP  
implementations.  So far, most CAP-based systems have been self- 
contained, single vendor/implementer arrangements.  But soon we're  
going to need to "federate" CAP traffic among multiple interoperable  
systems.  And that has important implications for security.

Most current systems use a trusted-link/trusted-host mode based on  
encrypted network links and password access control at a central  
server.  That's a familiar Web 1.0 approach and it works fine for  
"single-hop" implementations.  But it has a major drawback: As soon as  
messages are forwarded from one server to another, a security  
compromise anywhere can compromise the authentication and integrity of  
all CAP messages downstream.

The alternative, of course, is to apply digital signatures to CAP  
messages at their origin, and to verify them at receiving points.   
That way, it doesn't matter if the links or intervening nodes are  
secure or not; any recipient can verify independently that the message  
is a) from who it says it's from, and b) hasn't been modified in  
transit.

There's a standard way of doing this for XML, as cited in the CAP  
Specification:

 >3.3.2.1 Digital Signatures
 >The alert element of a CAP Alert Message MAY have an Enveloped  
Signature, as described by XML Signature and
 >Syntax Processing [XMLSIG]. Other XML signature mechanisms MUST NOT  
be used in CAP Alert Messages.  Processors
 >MUST NOT reject a CAP Alert Message containing such a signature  
simply because they are not capable of verifying
 >it; they MUST continue processing and MAY inform the user of their  
failure to validate the signature.

But I'm not aware of anyone that's implemented it yet... partly  
because it hasn't been necessary in stand-alone systems, and partly  
because it involves a type of programming a lot of folks haven't had  
occasion to explore yet.

But ultimately, it's going to be essential for interoperability.  So  
I'd be interested in hearing, has anyone implemented XMLSIG on CAP  
yet?  And would anyone be interested in doing some interoperability  
experiments?  The standard is there, the technology is there (in Java  
and a number of other languages) and I see the requirement bearing  
down on us quickly.

What say?

- Art

More information about the CAP-list mailing list