W3C home > Mailing lists > Public > public-ws-addressing@w3.org > July 2005

RE: LC 76 - What makes a msg WS-A?

From: Rich Salz <rsalz@datapower.com>
Date: Thu, 14 Jul 2005 22:37:14 -0400 (EDT)
To: dorchard@bea.com
cc: "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
Message-ID: <Pine.LNX.4.44L0.0507142226450.22056-100000@smtp.datapower.com>

> 	I thought it was clear.  As soon as a single ws-a header is
> marked with mU, then a fault will be thrown if there are any missing
> headers like Action.

I assume you mean "missing and non-defaulted," right?

Or do we advise that if you want mustUnderstand, then you shouldn't use
default values but explicitly put in the headers with the default values?

My concern is this:  a client prepares a WSA message leaving things
like the default wsa:replyto.  The security layer then signs the headers
and message body.  An adversary intercepts the message and inserts an
unsigned wsa:replyto header.  It is hard, if not impossible, for most
implementations to catch this.
        /r$

-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
Received on Friday, 15 July 2005 02:37:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:06 GMT