Subject: RE: Issue 069 - WS-Discovery - Preventing replay attack using[message id] property is impractical
Based on our discussions on this issue during the face to face modified proposal for this issue is attached. This proposal lists the mechanisms including the timestamp mechanism described in WS-Security that the implementations can use to prevent the replay attack. This is provided as a guidance without introducing any additional requirements the implementations can choose to use these mechanisms based on the scenario, capabilities and level of replay protection they need.
This issue is assigned the number 069. For further discussions on this issue, please refer to this issue number or use this thread.
Please defer discussions on this issue until a time this issue is accepted and is assigned a number.
Section 9 Security Consideration of the current specification recommends signing a [message id] property of the message and discarding any messages with same [message id] property. In order to effectively implement the replay attack prevention by implementing duplicate [message id] detection would require a large amount of storage to cache the [message id] property of the messages received so far.
WS-Security recommends using Timestamps to prevent replay attacks. WS-Discovery should be using the same mechanism. In order to provide a low footprint d:Security/d:Sig should include an attribute called “Created”. The value of this attribute is of type xsd:dateTime. This should be expanded in to wsu:Created element inside wsu:Timestamp element with wsu:id=”timestamp” and included in the canonicalization and signature verification.