W3C home > Mailing lists > Public > public-ws-addressing@w3.org > November 2004

RE: ISSUE 8 : "Clarity and Safety"

From: Martin Gudgin <mgudgin@microsoft.com>
Date: Mon, 22 Nov 2004 11:19:01 -0800
Message-ID: <DD35CC66F54D8248B6E04232892B633804099D3E@RED-MSG-43.redmond.corp.microsoft.com>
To: "Hugo Haas" <hugo@w3.org>
Cc: "Glen Daniels" <gdaniels@sonicsoftware.com>, <public-ws-addressing@w3.org>

 

> -----Original Message-----
> From: Hugo Haas [mailto:hugo@w3.org] 
> Sent: 22 November 2004 18:07
> To: Martin Gudgin
> Cc: Glen Daniels; public-ws-addressing@w3.org
> Subject: Re: ISSUE 8 : "Clarity and Safety"
> 
> * Martin Gudgin <mgudgin@microsoft.com> [2004-11-22 07:02-0800]
> > > The WS-Addressing submission states that reference properties and
> > > parameters are "assumed to be opaque to consuming applications".
> > > 
> > > In these conditions, how can I decide whether I like them or not?
> > 
> > The same way you decide whether or not you like a URI?
> 
> There's a slight difference though: you know that the destination URI
> is an identifier for the destination, whereas reference properties
> could be abused by making you insert XML that does additional
> processing which looks like it's been requested by the service client.

Whereas URIs are never abused to send people to a 'non-obvious' site...

I was just trying to address a problem other people had been positing.
It's not a problem for me because I'll only trust EPRs signed by certain
parties. And I'll trust that those parties are giving me the correct URI
and RefProps/Params.

> 
> > The fact that some XML can be assumed to be opaque does not preclude
> > someone from making decisions based on aspects of that XML. 
> People have
> > posited that they might have reasons for not wanting to use certain
> > reference property/parameter elements. If this is the case, 
> then they
> > need to *not* treat the data as opaque and rather use 
> whatever criteria
> > they choose to deterimine whether the data does or does not 
> fit those
> > criteria. 
> 
> I think that it's weird to define them as opaque and then, in the
> yet-to-be-written security portion of our spec, advice people not to
> treat those as opaque, especially as this XML could really be
> anything.

I think they are as opaque as URIs. I can treat a URI as opaque, indeed,
as a user of URIs I am encouraged to do so. However, I often inspect a
particular URI and choose not to follow it based on information I glean
from such inspection.

Gudge

> 
> Cheers,
> 
> Hugo
> 
> -- 
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/
> 
Received on Monday, 22 November 2004 19:19:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:59 GMT