W3C home > Mailing lists > Public > public-ws-resource-access@w3.org > April 2010

RE: issue 8273: proposal for WS-Enumeration

From: Ram Jeyaraman <Ram.Jeyaraman@microsoft.com>
Date: Thu, 15 Apr 2010 22:14:12 +0000
To: Gilbert Pilz <gilbert.pilz@oracle.com>, "public-ws-resource-access@w3.org" <public-ws-resource-access@w3.org>
Message-ID: <503546C5699C1144BDEA0D0DFFE7F8812D0C97A0@TK5EX14MBXC110.redmond.corp.microsoft.com>
Some editorial comments below [1]. Thanks.

[1]

“Likewise EnumerationEnd messages ought to be authenticated and verified to originate from the “data source owner” of the subscription enumeration (for example, the entity that sent the original EnumerateResponse message).”

“To defend against the misuse of snooped/guessed Enumeration Contexts, Data Sources are advised to authenticate clients sending Pull requests and verify that they are the “consumer owner” of the context used in the request.”

“When deployed within a DMZ, such a Data Source could be exploited to probe for other, non-visible machines by guessing target address values and using these values as the EndTo address in Enumerate requests.”

From: public-ws-resource-access-request@w3.org [mailto:public-ws-resource-access-request@w3.org] On Behalf Of Gilbert Pilz
Sent: Friday, April 02, 2010 10:31 AM
To: public-ws-resource-access@w3.org
Subject: issue 8273: proposal for WS-Enumeration

Attached is the 8273 proposal for WS-Enumeration. As with WS-Eventing, this proposal is a complete replace of the existing Section 5.

- gp
Received on Thursday, 15 April 2010 22:14:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 18:18:26 GMT