W3C home > Mailing lists > Public > public-ws-addressing@w3.org > July 2005

Re: Security problem with WS-Addressing

From: Tom Rutt <tom@coastin.com>
Date: Mon, 11 Jul 2005 16:37:14 -0400
Message-ID: <42D2D87A.6060000@coastin.com>
To: "Husband, Yin-Leng" <yin-leng.husband@hp.com>
CC: public-ws-addressing@w3.org, "Vambenepe, William N" <vbp@hp.com>

Husband, Yin-Leng wrote:

I think this concern is the same as that expressed in the formal 
objection, posted as:
http://lists.w3.org/Archives/Public/public-ws-addressing/2005May/0047.html

Perhaps HP might want to consider supporting that formal objection.

tom Rutt

> HP is concerned that the current WS-A specification creates a serious 
> security risk by providing a way to trick consumers of EPRs to send 
> (and potentially sign) headers that carry semantics they do not 
> understand and would not agree to send if they understood them. The 
> specification does not provide an adequate way for the EPR consumer to 
> protect itself. The wsa:isReferenceParamater attribute is not 
> sufficient because:
>
> - the schema of the header might not allow attribute extension
>
> - there is no mechanism (like soap:MustUnderstand for headers) to 
> specify, in a way that all SOAP processors must understand, that this 
> attribute must be understood.
>
> This problem is further discussed at [1] and solutions to this problem 
> have been proposed to the WG, including at [2].
>
>  
>
> [1] 
> http://h20276.www2.hp.com/blogs/vambenepe/2005/06/20/1119312469000.html
>
> [2] 
> http://lists.w3.org/Archives/Public/public-ws-addressing/2004Nov/0474.html
>
>  
>
> Yin Leng
>


-- 
----------------------------------------------------
Tom Rutt	email: tom@coastin.com; trutt@us.fujitsu.com
Tel: +1 732 801 5744          Fax: +1 732 774 5133
Received on Monday, 11 July 2005 20:39:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:06 GMT