- From: Jonathan Marsh <jmarsh@microsoft.com>
- Date: Tue, 28 Jun 2005 16:47:36 -0700
- To: <www-ws-desc@w3.org>
Here's a concrete proposal to address the objection [1] to the resolution of LC76c [2]. Suggest replacing "When a fault is generated, the generating node MUST attempt to propagate the fault, and MUST do so in the direction and to the recipient specified by the ruleset. " in 2.2 of part 2 with "Unless security concerns limit the ability to deliver faults (e.g. preventing participitation in a denial of service attack), when a fault is generated, the generating node MUST attempt to propagate the fault, and MUST do so in the direction and to the recipient specified by the ruleset." [1] http://lists.w3.org/Archives/Public/public-ws-desc-comments/2005May/0091.html [2] http://www.w3.org/2002/ws/desc/4/lc-issues/issues.html#LC76c > > ----- > > Section 2.1.1 and 2.1.2 say that the fault message must be > delivered. > > This implies that the endpoint does not have the option to generate > > but > > not send the fault. While always useful for debugging, faults are > > sometimes logged but not sent to prevent information disclosure and > > denial of service attacks. SOAP 1.2 allows this. > > The WG agreed to incorporate the proposal at [36] to address this > issue (LC76c) [37]. > > [36] http://lists.w3.org/Archives/Public/www-ws-desc/2004Nov/0054.html > [37] http://www.w3.org/2002/ws/desc/4/lc-issues/issues.html#LC76c The text in 2.1 Fault Propagation Rules sounds like a best effort must be made to deliver the fault. However, as a security consideration, we need to allow our customers to turn off all faults. It's not obvious that this constitutes a "best effort." Please allow a specific exemption for security measures.
Received on Wednesday, 29 June 2005 00:10:06 UTC