W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

[Bug 99] Risks Connected with Lock Tokens

From: <bugzilla@soe.ucsc.edu>
Date: Sun, 27 Nov 2005 05:12:56 -0800
Message-Id: <200511271312.jARDCu4x032590@ietf.cse.ucsc.edu>
To: w3c-dist-auth@w3.org

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=99





------- Additional Comments From julian.reschke@greenbytes.de  2005-11-27 05:12 -------
Suggested replacement text (see also
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.html#rfc.issue.bz099>):

19.7  Risks Connected with Lock Tokens

   This specification, in Section 6.3, encourages the use of Universal
   Unique Identifiers (UUIDs) in lock tokens, in order to guarantee
   their uniqueness across space and time.  Version 1 UUIDs, as defined
   in Section 4 of [RFC4122], may contain a "node" field which "consists
   of an IEEE 802 MAC address, usually the host address.  For systems
   with multiple IEEE 802 addresses, any available one can be used".
   Since a WebDAV server will issue many locks over its lifetime, the
   implication is that it may also be publicly exposing its IEEE 802
   address.

   There are several risks associated with exposure of IEEE 802
   addresses.  Using the IEEE 802 address:

   o  It is possible to track the movement of hardware from subnet to
      subnet.

   o  It may be possible to identify the manufacturer of the hardware
      running a WebDAV server.

   o  It may be possible to determine the number of each type of
      computer running WebDAV.

   This risk only applies to host address based UUID versions.  Section
   4 of [RFC4122] describes several other mechanisms for generating
   UUIDs that do involve the host address and therefore do not suffer
   from this risk.




------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Sunday, 27 November 2005 13:13:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT