- From: <bugzilla@soe.ucsc.edu>
- Date: Tue, 11 Oct 2005 23:33:20 -0700
- To: w3c-dist-auth@w3.org
http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=99
Summary: Risks Connected with Lock Tokens
Product: WebDAV-RFC2518-bis
Version: -07
Platform: Other
URL: http://greenbytes.de/tech/webdav/draft-ietf-webdav-
rfc2518bis-07.html#rfc.section.19.7
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: 19. Security Considerations
AssignedTo: joe-bugzilla@cursive.net
ReportedBy: julian.reschke@greenbytes.de
QAContact: w3c-dist-auth@w3.org
"This specification requires the use of Universal Unique Identifiers (UUIDs) [9]
for lock tokens, in order to guarantee their uniqueness across space and time."
No, it doesn't (I realize RFC2518 said something similar, but it's still
inaccurate).
It goes on saying that UUIDs may reveal information you don't want to reveal,
but then stops. It *used* to say:
"Section 24.2 of this specification details an alternate mechanism for
generating the "node" field of a UUID without using an IEEE 802
address, which alleviates the risks associated with exposure of IEEE
802 addresses by using an alternate source of uniqueness."
As we removed that part, we should now point to
<http://greenbytes.de/tech/webdav/rfc4122.html#node-id-no-id>
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Wednesday, 12 October 2005 06:33:32 UTC