W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

[Bug 99] New: Risks Connected with Lock Tokens

From: <bugzilla@soe.ucsc.edu>
Date: Tue, 11 Oct 2005 23:33:20 -0700
Message-Id: <200510120633.j9C6XKhw004358@ietf.cse.ucsc.edu>
To: w3c-dist-auth@w3.org

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=99

           Summary: Risks Connected with Lock Tokens
           Product: WebDAV-RFC2518-bis
           Version: -07
          Platform: Other
               URL: http://greenbytes.de/tech/webdav/draft-ietf-webdav-
                    rfc2518bis-07.html#rfc.section.19.7
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: 19.  Security Considerations
        AssignedTo: joe-bugzilla@cursive.net
        ReportedBy: julian.reschke@greenbytes.de
         QAContact: w3c-dist-auth@w3.org


"This specification requires the use of Universal Unique Identifiers (UUIDs) [9]
for lock tokens, in order to guarantee their uniqueness across space and time."

No, it doesn't (I realize RFC2518 said something similar, but it's still
inaccurate).

It goes on saying that UUIDs may reveal information you don't want to reveal,
but then stops. It *used* to say:

 "Section 24.2 of this specification details an alternate mechanism for	 		
	generating the "node" field of a UUID without using an IEEE 802			
	address, which alleviates the risks associated with exposure of IEEE			
	802 addresses by using an alternate source of uniqueness."

As we removed that part, we should now point to
<http://greenbytes.de/tech/webdav/rfc4122.html#node-id-no-id>



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Wednesday, 12 October 2005 06:33:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:10 GMT