Last call issue with ReplyTo and security from Tim Ewald on 2005-04-18 (public-ws-addressing-comments@w3.org from April 2005)

From: Tim Ewald <tim@mindreef.com>
Date: Mon, 18 Apr 2005 16:51:25 -0400
To: <public-ws-addressing-comments@w3.org>
Message-ID: <55.5308.1119866790@automsgid.listhub.w3.org>

As I read the spec, a compliant WS-Addressing based endpoint MUST use the
value in the ReplyTo header as the place to send a reply message. Further,
when a reply is expected, the ReplyTo header must be present. Because of
this, the section on security recommends that a service SHOULD only use EPRs
from trusted sources.

My issue with this is that it isn't enough to trust the source, I have to
trust that source that it's okay to send reply messages to the requested
endpoint. I may trust one source enough to send messages to a specific,
prearranged domain, but it is unlikely that I trust a source enough to send
messages anywhere. In the absence of that very specific trust, it seems
reasonable that a service would trust a client enough to process the request
and to send the response back to the client on the same connection (sort of
the inverse of the Java applet sandboxing model).

To implement that, a service would check for a ReplyTo header - which must
be present in the case of a reply - and check to see whether the address was
the anonymous URI. If the address is anything else, the service should raise
a fault. As I read the spec, however, that is not allowed.

In short, if a ReplyTo is required and MUST be honored, then I have no
choice but to ensure that I trust sources of EPRs enough to let them tell me
to send messages to an arbitrary address (which is a lot of trust indeed!).
If I can't do that, I have to either violate the protocol or just not use
WS-Addressing.

I faced this precise issue when I worked at MSDN. We considered using WSE to
implement our services, but it honored the ReplyTo header. Since MSDN offers
services that are used by the public (indirectly via VS.NET), we didn't
trust callers enough to get us to pummel arbitrary URIs with messages. As a
result, WSE added a feature to disable ReplyTo/FaultTo processing, and they
are disabled by default. 

Given the importance of security, I believe the WS-Addressing spec must
address this issue. Simply saying that services SHOULD only use endpoints
from trusted sources is NOT sufficient.

Thanks,
Tim-

_______________________
Tim Ewald
http://www.mindreef.com

Received on Monday, 18 April 2005 20:51:28 UTC