- From: Husband, Yin-Leng <yin-leng.husband@hp.com>
- Date: Tue, 12 Jul 2005 06:30:19 +1000
- To: <public-ws-addressing@w3.org>
- Cc: "Vambenepe, William N" <vbp@hp.com>
Received on Monday, 11 July 2005 20:32:34 UTC
HP is concerned that the current WS-A specification creates a serious security risk by providing a way to trick consumers of EPRs to send (and potentially sign) headers that carry semantics they do not understand and would not agree to send if they understood them. The specification does not provide an adequate way for the EPR consumer to protect itself. The wsa:isReferenceParamater attribute is not sufficient because: - the schema of the header might not allow attribute extension - there is no mechanism (like soap:MustUnderstand for headers) to specify, in a way that all SOAP processors must understand, that this attribute must be understood. This problem is further discussed at [1] and solutions to this problem have been proposed to the WG, including at [2]. [1] http://h20276.www2.hp.com/blogs/vambenepe/2005/06/20/1119312469000.html [2] http://lists.w3.org/Archives/Public/public-ws-addressing/2004Nov/0474.ht ml Yin Leng
Received on Monday, 11 July 2005 20:32:34 UTC