W3C home > Mailing lists > Public > xml-dist-app@w3.org > January 2006

Re: Action Item - Part I: WSRX and MEP signaling on the wire (clarification)

From: John Kemp <john.kemp@nokia.com>
Date: Fri, 13 Jan 2006 10:44:26 -0500
Message-Id: <7926BFA4-5ECD-4001-8D60-CEB7F2621CF3@nokia.com>
Cc: xml-dist-app@w3.org
To: ext Mark Baker <distobj@acm.org>

Hi Mark,

Ultimately, it's the case that a PAOS-capable user-agent should be  
aware of related security considerations -- a PAOS-capable user-agent  
cannot rely on being protected by a firewall. In any case, this  
security consideration is noted directly in the PAOS specification  
(section 12 of [1]). In particular, PAOS-capable user-agent  
implementations are recommended to authenticate the requester via TLS/ 
SSL with certificate verification, an option certainly available to  
most existing user-agents. Such authentication may of course be  
performed by an intermediary (which may or may not specifically care  
about SOAP or PAOS) prior to dispatching the (SOAP) message to the  
PAOS-capable user-agent.

Cheers,

- JohnK

[1] http://www.projectliberty.org/specs/liberty-paos-v1.1.pdf

On Jan 12, 2006, at 9:12 PM, ext Mark Baker wrote:

> Hi John,
>
> On 1/12/06, John Kemp <john.kemp@nokia.com> wrote:
>> Firewalls certainly come in different varieties, and some will be
>> smarter than others. But as something to which a SOAP message has
>> been dispatched (whether it's a SOAP request or a SOAP response) why
>> is it any more of a security risk to be dispatched a (SOAP) request
>> message that was in response to an (HTTP) message I sent than it is
>> to get a SOAP response to a SOAP request I sent?
>
> Because only requests are attempts to access services, and it's access
> to services that a firewall is trying to mediate.
>
>> From a course-
>> grained firewall (one that doesn't inspect the contents of the HTTP
>> response I guess) perspective, the HTTP response is still related to
>> the request that was sent, and the HTTP response is sent back to the
>> agent that initiated the HTTP request -- in both cases.
>
> "Related" isn't sufficient information for the firewall to do its job.
>
>>
>> Speaking only to the PAOS question, I would note that the user agent
>> receiving the HTTP response here will have explicitly advertised the
>> service it offers specifically to the HTTP server with which it is
>> interacting (via the PAOS HTTP header, during the HTTP request),
>> making this more secure in some respects than the reception of an
>> unsolicited SOAP request, which was not initiated by some action at
>> the associated user agent (such as the user explicitly requesting
>> some URL).
>
> It makes it more visible to intermediaries that know to look for that
> feature, enabling them to recognize the related incoming request if
> they want to ... which is all well and fine, but no help at all to the
> millions of existing firewalls which rely *only* on HTTP semantics to
> distinguish request and response.
>
> Mark.
Received on Friday, 13 January 2006 15:45:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:21 GMT