W3C home > Mailing lists > Public > public-ws-addressing@w3.org > April 2007

Re: Need for new Rec or TR on attaching policy to EPR

From: Richard Salz <rsalz@us.ibm.com>
Date: Mon, 2 Apr 2007 15:34:45 -0400
To: Anish Karmarkar <Anish.Karmarkar@oracle.com>
Cc: WS-Addressing <public-ws-addressing@w3.org>
Message-ID: <OF4566ACB0.A31559D0-ON852572B1.006A5597-852572B1.006B85EA@us.ibm.com>

> Isn't this similar to the issue of what does a consumer do with 
> wsa:Address value within an EPR when it already has a WSDL with the WSDL 

> port/endpoint information in it?

It's different because the client presumably *asked* for the EPR.

I am concerned about an EPR service being an obvious place to attack. 
Right now, if I use XML encryption, for example, I don't have to worry 
about DNS being compromised, because I can make sure that my message can 
only be decrypted by its intended recipient.  Once an EPR can have policy 
statements, an attacker might be able to send me an EPR with a security 
policy that says "just sign it." If I trust that EPR -- or, more 
accurately, if the all-singing and dancing runtime that I'm forced to use 
trusts it -- then I have lost the ability to protect myself. This is a 
real concern; a similar weakness is one of the main reasons why SSLv2 
should not be used.

The idea that every policy-carrying EPR is a potential man-in-the-middle 
attack is not one that occurs to many people.

        /r$

--
STSM
Senior Security Architect
DataPower SOA Appliances
Received on Monday, 2 April 2007 19:34:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:16 GMT