Re: Updated proposal for lc87 and lc55 from Hugo Haas on 2005-07-18 (public-ws-addressing@w3.org from July 2005)

From: Hugo Haas <hugo@w3.org>
Date: Mon, 18 Jul 2005 04:58:16 -0400
To: Marc Hadley <Marc.Hadley@Sun.COM>
Cc: public-ws-addressing@w3.org
Message-ID: <20050718085816.GC17951@w3.org>
Hi Marc.

* Marc Hadley <Marc.Hadley@Sun.COM> [2005-07-15 17:04-0400]
> Attached below is an updated proposal for issues lc87 and lc55 (the  
> nasty security ones ;-)). I've incorporated the feedback from Hugo  
> and include two versions of the contentious "Establishing EPR Trust"  
> section: one that includes a normative mechanism and one that  
> includes the mechanism as an example.

I also sent some comments about section X at [1].

Let me propose a concrete friendly amendment to your proposal.

> -- cut here --
> 
> X. Security Considerations (Core)
> 
> Conformance to this specification does not require a message receiver  
> to honor the WS-Addressing constructs within a message if the  
> receiver is not satisfied that the message is safe to process.
>
> WS-Addressing supports capabilities that allow a message sender to  
> instruct a message receiver to send additional unsolicited messages  
> to other receivers of their choice. To an extent the content of such  
> unsolicted messages can also be controlled using reference parameters  
> supplied by the initial message sender. Because of these capabilities  
> it is essential that communications using WS-Addressing are  
> adequately secured and that a sufficient level of trust is  
> established between the communicating parties before a receiver  
> processes WS-Addressing constructs within a message. There are  
> several aspects to securing a message:
> 
> (i) EPRs and message addressing properties should be integrity- 
> protected to prevent tampering. Such integrity protection might be  
> provided by the transport, a message level signature, or use of an  
> XML digital signature within EPRs.
> 
> (ii) Users of EPRs should validate the trustworthiness of an EPR  
> before using it by considering the two following aspects:
> 
> (a) that the EPR was obtained from a trusted source
> (b) that it was obtained from a source with authority to represent  
> the [address] of that EPR.

How about the following replacement for (ii):

  (ii) Users of EPRs should validate the trustworthiness of an EPR
  before using it. This may be established by considering a
  combination of the following aspects:

  (a) the EPR was obtained from a trusted source
  (b) the source of the EPR has authority to represent the [address] of
  the EPR
  (c) the [address] of the EPR is a trusted destination

> For example, the receiver of a message might rely on the presence of  
> a verifiable signature by a trusted party over the message addressing  
> properties to determine that the message originated from a trusted  
> source and further require that the [reply endpoint] and [fault  
> endpoint] are signed by a principle with authority to represent the  
> [address] of those EPRs to ensure that unsolicted messages are not  
> sent. Alternatively an out-of-band means of establishing trust might  
> be used to determine whether a particular EPR is trustworthy.

Cheers,

Hugo

  1. http://lists.w3.org/Archives/Public/public-ws-addressing/2005Jul/0013.html
-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/
Received on Monday, 18 July 2005 09:02:45 UTC