W3C home > Mailing lists > Public > public-ws-addressing-comments@w3.org > May 2005

Another Security Consideration

From: Jonathan Marsh <jmarsh@microsoft.com>
Date: Tue, 3 May 2005 14:10:00 -0700
Message-ID: <7DA77BF2392448449D094BCEF67569A50766A1A3@RED-MSG-30.redmond.corp.microsoft.com>
To: <public-ws-addressing-comments@w3.org>

Our security experts have uncovered another consideration that we plan
to address in our WS-Addressing implementation.  It might prove valuable
to other implementers as well.

The current Security Considerations section (4) in the Core spec says:
  
  "Some processors may use message identifiers ([message id]) as part of
  a uniqueness metric in order to detect replays of messages. Care
  should be taken to ensure that for purposes of replay detection, the
  message identifier is combined with other data, such as a timestamp,
  so that a legitimate retransmission of the message is not confused
  with a replay attack.

We propose to append the following to that paragraph:

  "It is also advisable to use message identifiers that are not
  predictable, to prevent attackers from constructing and sending
  an unsolicited reply to an outstanding request without having to 
  see the actual request message."
Received on Tuesday, 3 May 2005 21:10:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:19:38 GMT