- From: Francisco Curbera <curbera@us.ibm.com>
- Date: Mon, 27 Jun 2005 13:16:49 -0400
- To: public-ws-addressing@w3.org
Issue LC90 proposes changing the following paragraph in the security section, "Some processors may use message identifiers ([message id]) as part of a uniqueness metric in order to detect replays of messages. Care should be taken to ensure that for purposes of replay detection, the message identifier is combined with other data, such as a timestamp, so that a legitimate retransmission of the message is not confused with a replay attack." to the alternate text, "For purposes of reliability and security, the [message id] property SHOULD regarded simply as another part of the message payload. It SHOULD NOT be used as part of a uniqueness metric in order to detect replays of messages, as a message with a given [message id] may be legitimately re-sent for purposes of reliable transmission." We think that there is no justification to say that you one cannot use messageID as part of an uniqueness criterion for security purposes, so the "SHOULD NOT" in the proposed text is unjustified. The original text is more balanced, recognizing that message_if may be used and giving the right advice if one chooses to do so. I propose we close with no change. Paco
Received on Monday, 27 June 2005 17:16:58 UTC