W3C home > Mailing lists > Public > public-ws-addressing@w3.org > July 2005

Re: Proposal for lc87 and lc55

From: Hugo Haas <hugo@w3.org>
Date: Thu, 7 Jul 2005 13:12:51 +0200
To: Marc Hadley <Marc.Hadley@Sun.COM>
Cc: public-ws-addressing@w3.org, Thomas Roessler <roessler@w3.org>
Message-ID: <20050707111251.GB4135@w3.org>
Hi Marc.

Thinking about your proposal a bit more:

* Marc Hadley <Marc.Hadley@Sun.COM> [2005-06-20 14:12-0400]
> X. Security Considerations (Core)
> 
> Conformance to this specification does not require a message receiver  
> to honor the WS-Addressing constructs within a message if the  
> receiver is not satisfied that the message is safe to process.
> 
> WS-Addressing supports capabilities that allow a message sender to  
> instruct a message receiver to send additional unsolicited messages  
> to other receivers of their choice. To an extent the content of such  
> unsolicted messages can also be controlled using reference parameters  
> supplied by the initial message sender. Because of these capabilities  
> it is essential that communications using WS-Addressing are  
> adequately secured and that a sufficient level of trust is  
> established between the communicating parties before a receiver  
> processes WS-Addressing constructs within a message. There are  
> several aspects to securing a message:
> 
> (i) EPRs and message addressing properties should be integrity- 
> protected to prevent tampering. Such integrity protection might be  
> provided by the transport, a message level signature, or use of an  
> XML digital signature within EPRs.
> 
> (ii) Users of EPRs should only use EPRs from sources they trust. The  
> required trust has two aspects:
> 
> (a) that the EPR was obtained from a trusted source
> (b) that it was obtained from a source with authority to represent  
> the [destination] of that EPR.
> 
> For example, the receiver of a message might rely on the presence of  
> a verifiable signature by a trusted party over the message addressing  
> properties to determine that the message originated from a trusted  
> source and further require that the [reply endpoint] and [fault  
> endpoint] are signed by a principle with authority to represent the  
> [destination] of those EPRs to ensure that unsolicted messages are  
> not sent. Alternatively an out-of-band means of establishing trust  
> might be used to determine whether a particular EPR is trustworthy.

I was wondering if (ii)(b) was always necessary.

There are 3 actors in a WS-Addressing interaction:
- the EPR user U
- the EPR minter M
- the EPR addressee A

U is going to use an EPR, and needs to make sure that it's safe to do
so.

In your proposed text, U trusts M and M has some authority to
represent A. A scenario: M instructs U to send millions of messages to
A; it's good to know that M has some authority to represent A in order
to make sure that A isn't going to complain that a DoS attack is
underway.

However, it could be sufficient that U trusts M. M instructs U to send
messages to A, and as U trusts M, that's enough for U to just do so
(e.g. "use the Google search engine Web service interface instead of
using our local search interface for your next search"; M may well
have no relationship with Google whatsoever).

Do you consider (b) always necessary?

I'm also wondering if M could give an EPR signed by A, and U trusts A
very highly (e.g. the EPR [address] is in its local domain and it was
signed by a trusted key from its own organization), and is willing to
use it even though it can't establish a trust relationship with M.

Regards,

Hugo

-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/

Received on Thursday, 7 July 2005 11:45:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:06 GMT