- From: Richard Salz <rsalz@us.ibm.com>
- Date: Mon, 2 Apr 2007 15:34:45 -0400
- To: Anish Karmarkar <Anish.Karmarkar@oracle.com>
- Cc: WS-Addressing <public-ws-addressing@w3.org>
> Isn't this similar to the issue of what does a consumer do with
> wsa:Address value within an EPR when it already has a WSDL with the WSDL
> port/endpoint information in it?
It's different because the client presumably *asked* for the EPR.
I am concerned about an EPR service being an obvious place to attack.
Right now, if I use XML encryption, for example, I don't have to worry
about DNS being compromised, because I can make sure that my message can
only be decrypted by its intended recipient. Once an EPR can have policy
statements, an attacker might be able to send me an EPR with a security
policy that says "just sign it." If I trust that EPR -- or, more
accurately, if the all-singing and dancing runtime that I'm forced to use
trusts it -- then I have lost the ability to protect myself. This is a
real concern; a similar weakness is one of the main reasons why SSLv2
should not be used.
The idea that every policy-carrying EPR is a potential man-in-the-middle
attack is not one that occurs to many people.
/r$
--
STSM
Senior Security Architect
DataPower SOA Appliances
Received on Monday, 2 April 2007 19:34:55 UTC