- From: <bugzilla@soe.ucsc.edu>
- Date: Sun, 27 Nov 2005 05:12:56 -0800
- To: w3c-dist-auth@w3.org
http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=99
------- Additional Comments From julian.reschke@greenbytes.de 2005-11-27 05:12 -------
Suggested replacement text (see also
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.html#rfc.issue.bz099>):
19.7 Risks Connected with Lock Tokens
This specification, in Section 6.3, encourages the use of Universal
Unique Identifiers (UUIDs) in lock tokens, in order to guarantee
their uniqueness across space and time. Version 1 UUIDs, as defined
in Section 4 of [RFC4122], may contain a "node" field which "consists
of an IEEE 802 MAC address, usually the host address. For systems
with multiple IEEE 802 addresses, any available one can be used".
Since a WebDAV server will issue many locks over its lifetime, the
implication is that it may also be publicly exposing its IEEE 802
address.
There are several risks associated with exposure of IEEE 802
addresses. Using the IEEE 802 address:
o It is possible to track the movement of hardware from subnet to
subnet.
o It may be possible to identify the manufacturer of the hardware
running a WebDAV server.
o It may be possible to determine the number of each type of
computer running WebDAV.
This risk only applies to host address based UUID versions. Section
4 of [RFC4122] describes several other mechanisms for generating
UUIDs that do involve the host address and therefore do not suffer
from this risk.
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Sunday, 27 November 2005 13:13:01 UTC