W3C home > Mailing lists > Public > public-ws-addressing@w3.org > June 2005

Re: Issue LC90

From: Francisco Curbera <curbera@us.ibm.com>
Date: Mon, 27 Jun 2005 14:00:59 -0400
To: Francisco Curbera <curbera@us.ibm.com>
Cc: public-ws-addressing@w3.org, public-ws-addressing-request@w3.org
Message-ID: <OF15B1EE90.AF7017C8-ON8525702D.0062CE8E-8525702D.0062F7F1@us.ibm.com>

Mark pointed out that the last proposal on the table was to drop the
paragraph and not replace it at all. We still think it should stay because
it does add an important clarification for those thinking in using
message_id for detecting replays.

Paco




                                                                                                                                          
                      Francisco                                                                                                           
                      Curbera/Watson/IBM@IBMUS        To:       public-ws-addressing@w3.org                                               
                      Sent by:                        cc:                                                                                 
                      public-ws-addressing-req        Subject:  Issue LC90                                                                
                      uest@w3.org                                                                                                         
                                                                                                                                          
                                                                                                                                          
                      06/27/2005 01:16 PM                                                                                                 
                                                                                                                                          






Issue LC90 proposes changing the following paragraph in the security
section,

"Some processors may use message identifiers ([message id]) as part of a
uniqueness metric in order to detect replays of messages. Care should be
taken to ensure that for purposes of replay detection, the message
identifier is combined with other data, such as a timestamp, so that a
legitimate retransmission of the message is not confused with a replay
attack."

to the alternate text,

"For purposes of reliability and security, the [message id] property SHOULD
regarded simply as another part of the message payload.  It SHOULD NOT be
used as part of a uniqueness metric in order to detect replays of messages,
as a message with a given [message id] may be legitimately re-sent for
purposes of reliable transmission."

We think that there is no justification to say that you one cannot use
messageID as part of an uniqueness criterion for security purposes, so the
"SHOULD NOT" in the proposed text is unjustified. The original text is more
balanced, recognizing that message_if may be used and giving the right
advice if one chooses to do so.

I propose we close with no change.

Paco
Received on Monday, 27 June 2005 18:01:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:05 GMT