Re: i004: Text for reorganization of security sections from Mark Nottingham on 2005-03-01 (public-ws-addressing@w3.org from March 2005)

From: Mark Nottingham <mark.nottingham@bea.com>
Date: Tue, 1 Mar 2005 16:05:06 -0500
To: Hugo Haas <hugo@w3.org>
Cc: public-ws-addressing@w3.org
Message-Id: <a1059320dc55437cd77bc18d331009b4@bea.com>
Text accepted by the WG for the core:

[[[
Security Considerations (new section)

Users (i.e., entities creating, consuming or receiving Message  
Addressing Properties and EPRs) of WS-Addressing and EPRs SHOULD only  
use EPRs from sources they trust. For example, such users could only  
use EPRs that are signed by parties the user of the EPR trusts, or have  
some out-of-band means of establishing trust.

EPRs as well as message addressing properties SHOULD be integrity
protected to prevent tampering. Such optional integrity protection might
be provided by transport, message level signature, and use of an XML
Digital Signature within EPRs.

To prevent information disclosure, EPR issuers SHOULD NOT put sensitive
information into the [address] or [reference parameters] properties.

Some processors may use message identifiers ([message id]) as part of a
uniqueness metric in order to detect replays of messages. Care should be
taken to ensure that for purposes of replay detection, the message  
identifier is combined with other data, such as a timestamp, so that a  
legitimate retransmission of the message is not confused with a replay  
attack.
]]]

Text accepted by the WG for SOAP:

[[[
Security consideration (new text)

WS-Addressing message addressing properties serialized as SOAP headers
(wsa:To, wsa:Action et al.) including those headers present as a result
of the [reference parameters] property SHOULD be integrity protected as
explained in @@@link to Core's security section @@@.

When receiving a SOAP message, certain SOAP headers may be resulting
from the serialization of an EPR's [reference parameters] property. The
SOAP message receiver MAY perform additional security and sanity checks
to prevent unintended actions.

---------

New section on intermediaries processing of SOAP messages containing
Addressing headers

To avoid breaking signatures, intermediaries MUST NOT change the XML
representation of WS-Addressing headers. Specifically, intermediaries  
MUST
NOT remove XML content that explicitly indicates otherwise-implied
content, and intermediaries MUST NOT insert XML content to make implied
values explicit. For instance, if a RelationshipType attribute is
present with a value of "http://www.w3.org/@@@@/@@/addressing/reply", an
intermediary MUST NOT remove it; similarly, if there is no
RelationshipType attribute, an intermediary MUST NOT add one.

]]]



On Mar 1, 2005, at 12:17 PM, Hugo Haas wrote:

> * Hugo Haas <hugo@w3.org> [2005-02-28 16:28-0500]
>> Attached is some proposed text for the security sections in the Core
>> and SOAP binding specs.
>>
>> I have taken into consideration the following inputs:
>> - Web Services Addressing 1.0 - SOAP Binding's section 4. Security
>>   Considerations:
>>   http://www.w3.org/TR/2005/WD-ws-addr-soap-20050215/#_Toc77464334
>> - Gudge's proposal:
>>    
>> http://lists.w3.org/Archives/Public/public-ws-addressing/2005Feb/ 
>> 0130.html
>> - Paco's proposed amendment to Gudge's text:
>>    
>> http://lists.w3.org/Archives/Public/public-ws-addressing/2005Feb/ 
>> 0175.html
>>
>> Below is the detail of what I have done:
>> - started with Gudge's text
>> - split abstract (expressed with in terms of properties) vs. SOAP
>>   headers stuff into different specs
>> - incorporated useful stuff from the spec minus motherhood and apple
>>   pie text which I thought didn't bring much to the table.
>> - included users of WS-Addressing in the same bag as users of EPRs
>> - removed redundant text
>
> With the deletion of bullet 4.2 in my proposal for i007, I think that
> we ought to add a security note about SOAP header blocks that appear
> as a result of serializing reference parameters — arguably, the
> security text I put in my proposal for i007 should really have been in
> the security section to start with.
>
> Attached is the new text.
>
> As a clarification, the added text are proposals for complete
> sections, not additions.
>
> Cheers,
>
> Hugo
>
> -- 
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/
> <core-sc.txt><soap-sc.txt>

--
Mark Nottingham   Principal Technologist
Office of the CTO   BEA Systems
Received on Tuesday, 1 March 2005 21:05:11 UTC