i004: Security Model from Marc Hadley on 2005-02-23 (public-ws-addressing@w3.org from February 2005)

From: Marc Hadley <Marc.Hadley@Sun.COM>
Date: Tue, 22 Feb 2005 20:04:06 -0500
To: public-ws-addressing@w3.org
Message-id: <94286dee2ee14ed729b73ea21715c2f0@Sun.COM>
I have an action item to "identify parts of the specs that place  
requirements on the security model". There are several aspects of  
WS-Addressing that raise security concerns, most notably the ability  
for a sender to arrange for a receiver to send replies or faults to a  
message to an arbitrary EPR and (when using the SOAP binding) to  
include arbitrary canned SOAP headers in the resulting message. The  
security considerations section of the SOAP binding[1] lists the  
concerns in greater detail and proposes some generic counter measures.  
Gudge's proposal for resolving issue 4 [3] seems to cover much of the  
same ground as the existing text though in terser language and with  
some additional concerns (e.g. the suggestion to not put sensitive
information into wsa:Address values or Reference Parameters).

I previously tried to raise an issue[2] about the inadequacy of the  
security considerations section which I agreed to defer until the  
security model had been defined. Gudge's proposal for resolving issue 4  
doesn't cover the concern I raised about the nature of trusting EPRs:

Security Considerations text: "Whenever an address is specified (e.g.  
<wsa:From>,  <wsa:ReplyTo>, <wsa:FaultTo>, ...), the processor should   
ensure that a signature is provided with claims allowing it to speak  
for the  specified target in order to prevent certain classes of  
attacks (e.g. redirects). As  well, care should be taken if the  
specified endpoint contains reference  parameters as unverified   
endpoint references could cause certain classes of header insertion  
attacks."

Gudge's proposal: "Users of EPRs SHOULD only use EPRs from sources they  
trust. In practice this is likely to mean that users of EPRs only use  
EPRs that are signed by parties the user of the EPR trusts."

I think that the minimum required to declare victory is for  
WS-Addressing to concretely define what is meant by "claims allowing it  
to speak for the specified target" or "EPRs that are signed by parties  
the user of the EPR trusts". If we don't define this then use of  
<ReplyTo> and <FaultTo> (except when using the anonymous address URI)  
will be restricted in publicly deployed systems since, without such a  
concrete definition, most endpoints simply won't allow their use  
because of security concerns.

To repeat my original proposal[2]: Add more exact language to the  
specification outlining the message security requirements that must be  
met for an EPR to be trusted. Add a standard fault that may be returned  
on receipt of a message that fails to meet such security requirements.

In addition I'd propose that we move the generic parts of the security  
considerations section to a new section in the core and define concrete  
security mechanisms for SOAP in the SOAP binding.

Marc.

[1]  
http://dev.w3.org/cvsweb/~checkout~/2004/ws/addressing/ws-addr- 
soap.html#_Toc77464334
[2] http://www.w3.org/mid/44A0547C-3E2C-11D9-8A29-000A95BC8D92@Sun.COM

---
Marc Hadley <marc.hadley at sun.com>
Web Technologies and Standards, Sun Microsystems.
Received on Wednesday, 23 February 2005 01:04:11 UTC