- From: Hugo Haas <hugo@w3.org>
- Date: Thu, 7 Jul 2005 13:12:51 +0200
- To: Marc Hadley <Marc.Hadley@Sun.COM>
- Cc: public-ws-addressing@w3.org, Thomas Roessler <roessler@w3.org>
- Message-ID: <20050707111251.GB4135@w3.org>
Hi Marc. Thinking about your proposal a bit more: * Marc Hadley <Marc.Hadley@Sun.COM> [2005-06-20 14:12-0400] > X. Security Considerations (Core) > > Conformance to this specification does not require a message receiver > to honor the WS-Addressing constructs within a message if the > receiver is not satisfied that the message is safe to process. > > WS-Addressing supports capabilities that allow a message sender to > instruct a message receiver to send additional unsolicited messages > to other receivers of their choice. To an extent the content of such > unsolicted messages can also be controlled using reference parameters > supplied by the initial message sender. Because of these capabilities > it is essential that communications using WS-Addressing are > adequately secured and that a sufficient level of trust is > established between the communicating parties before a receiver > processes WS-Addressing constructs within a message. There are > several aspects to securing a message: > > (i) EPRs and message addressing properties should be integrity- > protected to prevent tampering. Such integrity protection might be > provided by the transport, a message level signature, or use of an > XML digital signature within EPRs. > > (ii) Users of EPRs should only use EPRs from sources they trust. The > required trust has two aspects: > > (a) that the EPR was obtained from a trusted source > (b) that it was obtained from a source with authority to represent > the [destination] of that EPR. > > For example, the receiver of a message might rely on the presence of > a verifiable signature by a trusted party over the message addressing > properties to determine that the message originated from a trusted > source and further require that the [reply endpoint] and [fault > endpoint] are signed by a principle with authority to represent the > [destination] of those EPRs to ensure that unsolicted messages are > not sent. Alternatively an out-of-band means of establishing trust > might be used to determine whether a particular EPR is trustworthy. I was wondering if (ii)(b) was always necessary. There are 3 actors in a WS-Addressing interaction: - the EPR user U - the EPR minter M - the EPR addressee A U is going to use an EPR, and needs to make sure that it's safe to do so. In your proposed text, U trusts M and M has some authority to represent A. A scenario: M instructs U to send millions of messages to A; it's good to know that M has some authority to represent A in order to make sure that A isn't going to complain that a DoS attack is underway. However, it could be sufficient that U trusts M. M instructs U to send messages to A, and as U trusts M, that's enough for U to just do so (e.g. "use the Google search engine Web service interface instead of using our local search interface for your next search"; M may well have no relationship with Google whatsoever). Do you consider (b) always necessary? I'm also wondering if M could give an EPR signed by A, and U trusts A very highly (e.g. the EPR [address] is in its local domain and it was signed by a trusted key from its own organization), and is willing to use it even though it can't establish a trust relationship with M. Regards, Hugo -- Hugo Haas - W3C mailto:hugo@w3.org - http://www.w3.org/People/Hugo/
Received on Thursday, 7 July 2005 11:45:49 UTC