W3C home > Mailing lists > Public > public-ws-addressing@w3.org > July 2005

Security problem with WS-Addressing

From: Husband, Yin-Leng <yin-leng.husband@hp.com>
Date: Tue, 12 Jul 2005 06:30:19 +1000
Message-ID: <ED28DBD13CDAA44D974F00D56B594BCE01F3B9B0@snoexc04.asiapacific.cpqcorp.net>
To: <public-ws-addressing@w3.org>
Cc: "Vambenepe, William N" <vbp@hp.com>
HP is concerned that the current WS-A specification creates a serious
security risk by providing a way to trick consumers of EPRs to send (and
potentially sign) headers that carry semantics they do not understand
and would not agree to send if they understood them. The specification
does not provide an adequate way for the EPR consumer to protect itself.
The wsa:isReferenceParamater attribute is not sufficient because:

- the schema of the header might not allow attribute extension

- there is no mechanism (like soap:MustUnderstand for headers) to
specify, in a way that all SOAP processors must understand, that this
attribute must be understood.

This problem is further discussed at [1] and solutions to this problem
have been proposed to the WG, including at [2].

 

[1]
http://h20276.www2.hp.com/blogs/vambenepe/2005/06/20/1119312469000.html

[2]
http://lists.w3.org/Archives/Public/public-ws-addressing/2004Nov/0474.ht
ml

 

Yin Leng
Received on Monday, 11 July 2005 20:32:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:06 GMT