OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: WS-I BSP WG comments - Part 2

Please find below an additional comment on the WS-Security
specifications from the WS-I Basic Security Profile WG.  Please contact
me if you have any difficulty interpreting our comments.

Chair, WS-I BSP WG

Paul Cotton, Microsoft Canada 
17 Eleanor Drive, Nepean, Ontario K2E 6A3 
Tel: (613) 225-5445 Fax: (425) 936-7329 


WSS Username Token Profile
Comments on Working Draft 4 dated 11 Aug 2003.

In lines 126-134 of the Username Token Profile, counter measures are
given to thwart replay attacks.  The counter measures involve timestamps
and nonces.  This works as a counter measure when the attacker attempts
to replay the token to the same receiver that legitimately received the
token previously.

However, it does not cover the case where the token is replayed to a
different receiver.  There are several possible approaches for this
latter case:
  - including the username in the hash, to thwart cases where multiple
user accounts have matching passwords (e.g. passwords based on company
  - including the domain name in the hash, to thwart cases where the
same username/password is used in multiple systems
  - including some indication of the intended receiver in the hash, to
thwart cases where receiving systems don't share nonce caches (e.g., two
separate application clusters in the same security domain).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]