W3C home > Mailing lists > Public > public-ws-addressing@w3.org > June 2005

Re: Issue LC90

From: Francisco Curbera <curbera@us.ibm.com>
Date: Mon, 27 Jun 2005 14:00:59 -0400
To: Francisco Curbera <curbera@us.ibm.com>
Cc: public-ws-addressing@w3.org, public-ws-addressing-request@w3.org
Message-ID: <OF15B1EE90.AF7017C8-ON8525702D.0062CE8E-8525702D.0062F7F1@us.ibm.com>

Mark pointed out that the last proposal on the table was to drop the
paragraph and not replace it at all. We still think it should stay because
it does add an important clarification for those thinking in using
message_id for detecting replays.


                      Curbera/Watson/IBM@IBMUS        To:       public-ws-addressing@w3.org                                               
                      Sent by:                        cc:                                                                                 
                      public-ws-addressing-req        Subject:  Issue LC90                                                                
                      06/27/2005 01:16 PM                                                                                                 

Issue LC90 proposes changing the following paragraph in the security

"Some processors may use message identifiers ([message id]) as part of a
uniqueness metric in order to detect replays of messages. Care should be
taken to ensure that for purposes of replay detection, the message
identifier is combined with other data, such as a timestamp, so that a
legitimate retransmission of the message is not confused with a replay

to the alternate text,

"For purposes of reliability and security, the [message id] property SHOULD
regarded simply as another part of the message payload.  It SHOULD NOT be
used as part of a uniqueness metric in order to detect replays of messages,
as a message with a given [message id] may be legitimately re-sent for
purposes of reliable transmission."

We think that there is no justification to say that you one cannot use
messageID as part of an uniqueness criterion for security purposes, so the
"SHOULD NOT" in the proposed text is unjustified. The original text is more
balanced, recognizing that message_if may be used and giving the right
advice if one chooses to do so.

I propose we close with no change.

Received on Monday, 27 June 2005 18:01:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:09 UTC