- From: Tom Rutt <tom@coastin.com>
- Date: Mon, 11 Jul 2005 16:37:14 -0400
- To: "Husband, Yin-Leng" <yin-leng.husband@hp.com>
- CC: public-ws-addressing@w3.org, "Vambenepe, William N" <vbp@hp.com>
Husband, Yin-Leng wrote: I think this concern is the same as that expressed in the formal objection, posted as: http://lists.w3.org/Archives/Public/public-ws-addressing/2005May/0047.html Perhaps HP might want to consider supporting that formal objection. tom Rutt > HP is concerned that the current WS-A specification creates a serious > security risk by providing a way to trick consumers of EPRs to send > (and potentially sign) headers that carry semantics they do not > understand and would not agree to send if they understood them. The > specification does not provide an adequate way for the EPR consumer to > protect itself. The wsa:isReferenceParamater attribute is not > sufficient because: > > - the schema of the header might not allow attribute extension > > - there is no mechanism (like soap:MustUnderstand for headers) to > specify, in a way that all SOAP processors must understand, that this > attribute must be understood. > > This problem is further discussed at [1] and solutions to this problem > have been proposed to the WG, including at [2]. > > > > [1] > http://h20276.www2.hp.com/blogs/vambenepe/2005/06/20/1119312469000.html > > [2] > http://lists.w3.org/Archives/Public/public-ws-addressing/2004Nov/0474.html > > > > Yin Leng > -- ---------------------------------------------------- Tom Rutt email: tom@coastin.com; trutt@us.fujitsu.com Tel: +1 732 801 5744 Fax: +1 732 774 5133
Received on Monday, 11 July 2005 20:39:38 UTC