W3C home > Mailing lists > Public > public-ws-addressing@w3.org > June 2005

Issue LC90

From: Francisco Curbera <curbera@us.ibm.com>
Date: Mon, 27 Jun 2005 13:16:49 -0400
To: public-ws-addressing@w3.org
Message-ID: <OFDEF952C3.D1D3ABD3-ON8525702D.005DEF53-8525702D.005EECD0@us.ibm.com>


Issue LC90 proposes changing the following paragraph in the security
section,

"Some processors may use message identifiers ([message id]) as part of a
uniqueness metric in order to detect replays of messages. Care should be
taken to ensure that for purposes of replay detection, the message
identifier is combined with other data, such as a timestamp, so that a
legitimate retransmission of the message is not confused with a replay
attack."

to the alternate text,

"For purposes of reliability and security, the [message id] property SHOULD
regarded simply as another part of the message payload.  It SHOULD NOT be
used as part of a uniqueness metric in order to detect replays of messages,
as a message with a given [message id] may be legitimately re-sent for
purposes of reliable transmission."

We think that there is no justification to say that you one cannot use
messageID as part of an uniqueness criterion for security purposes, so the
"SHOULD NOT" in the proposed text is unjustified. The original text is more
balanced, recognizing that message_if may be used and giving the right
advice if one chooses to do so.

I propose we close with no change.

Paco
Received on Monday, 27 June 2005 17:16:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:05 GMT