W3C home > Mailing lists > Public > public-ws-addressing-comments@w3.org > April 2005

Fwd: Last call issue with ReplyTo and security

From: Mark Nottingham <mark.nottingham@bea.com>
Date: Mon, 25 Apr 2005 12:31:27 -0700
Message-Id: <e2eb5d4a0d29c637dd5044bc3e63cfe7@bea.com>
To: "<public-ws-addressing-comments@w3.org> <public-ws-addressing-comments@w3.org>" <public-ws-addressing-comments@w3.org>

Resending due to archive problems.

Begin forwarded message:

> Resent-From: public-ws-addressing-comments@w3.org
> From: "Tim Ewald" <tim@mindreef.com>
> Date: April 18, 2005 1:51:25 PM PDT
> To: <public-ws-addressing-comments@w3.org>
> Subject: Last call issue with ReplyTo and security
> Reply-To: <tim@mindreef.com>
> Organization: MindReef
> X-Archived-At: http://www.w3.org/mid/
>
>
> As I read the spec, a compliant WS-Addressing based endpoint MUST use 
> the
> value in the ReplyTo header as the place to send a reply message. 
> Further,
> when a reply is expected, the ReplyTo header must be present. Because 
> of
> this, the section on security recommends that a service SHOULD only 
> use EPRs
> from trusted sources.
>
> My issue with this is that it isn't enough to trust the source, I have 
> to
> trust that source that it's okay to send reply messages to the 
> requested
> endpoint. I may trust one source enough to send messages to a specific,
> prearranged domain, but it is unlikely that I trust a source enough to 
> send
> messages anywhere. In the absence of that very specific trust, it seems
> reasonable that a service would trust a client enough to process the 
> request
> and to send the response back to the client on the same connection 
> (sort of
> the inverse of the Java applet sandboxing model).
>
> To implement that, a service would check for a ReplyTo header - which 
> must
> be present in the case of a reply - and check to see whether the 
> address was
> the anonymous URI. If the address is anything else, the service should 
> raise
> a fault. As I read the spec, however, that is not allowed.
>
> In short, if a ReplyTo is required and MUST be honored, then I have no
> choice but to ensure that I trust sources of EPRs enough to let them 
> tell me
> to send messages to an arbitrary address (which is a lot of trust 
> indeed!).
> If I can't do that, I have to either violate the protocol or just not 
> use
> WS-Addressing.
>
> I faced this precise issue when I worked at MSDN. We considered using 
> WSE to
> implement our services, but it honored the ReplyTo header. Since MSDN 
> offers
> services that are used by the public (indirectly via VS.NET), we didn't
> trust callers enough to get us to pummel arbitrary URIs with messages. 
> As a
> result, WSE added a feature to disable ReplyTo/FaultTo processing, and 
> they
> are disabled by default.
>
> Given the importance of security, I believe the WS-Addressing spec must
> address this issue. Simply saying that services SHOULD only use 
> endpoints
> from trusted sources is NOT sufficient.
>
> Thanks,
> Tim-
>
> _______________________
> Tim Ewald
> http://www.mindreef.com
>
>
>
>

--
Mark Nottingham   Principal Technologist
Office of the CTO   BEA Systems
Received on Monday, 25 April 2005 19:31:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:19:38 GMT