0002050: Discovery 5.4.1 last paragraph - intent? and possible conflict of definition

ID	Project	Category	View Status	Date Submitted	Last Update

0002050	10000-004: Services		public	2012-05-17 18:50	2013-12-03 17:16

Reporter	~~Nathan Pocock~~	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.03

Summary	0002050: Discovery 5.4.1 last paragraph - intent? and possible conflict of definition
Description	CMPWG 5/17/2012: A paragraph added in spec version 1.02.14 requires the validation of the hostname specified in the serverCertificate is the same as the hostName contained in the endpointUrl of the endpointDescription. Both the serverCertificate and endpointDescription are returned in GetEndpoints, so why would they be any different? Even from a security standpoint, this doesn't seem to accomplish much. We wonder if the paragraph is incomplete, perhaps the intent is to correlate the FindServers response with the GetEndpoints response? A possible conflict in definition exists too since this sentence starts with "A Client shall...." and yet the new paragaph in 5.4.3.1 states "The ApplicationInstanceCertificate is optional for Endpoints with Security Policy NONE." so how does the "shall" work now?
Tags	No tags attached.

Commit Version
Fix Due Date

Jim Luth 2012-06-05 18:01 administrator ~0003724	we believe the spec is correct as written, but could use some more examples of the security threats these checks are trying to prevent.

Matthias Damm 2013-10-11 18:04 developer ~0005076	Updated paragraph in 5.4 Discovery Service Set A Client shall verify the HostName specified in the Server Certificate is the same as the HostName contained in the endpointUrl provided in the EndpointDescription and that is used to open a SecureChannel. If there is a difference then the Client shall report the difference and may choose to not open the SecureChannel. Added also paragraph to 5.5.2 OpenSecureChannel A Client shall verify the HostName specified in the Server Certificate is the same as the HostName contained in the endpointUrl that is used to open a SecureChannel. If there is a difference then the Client shall report the difference and may choose to not open the SecureChannel. Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.07.doc

Jim Luth 2013-12-03 17:14 administrator ~0005161	We reviewed and edited the text in the call and agreed on the final text.

Date Modified	Username	Field	Change
2012-05-17 18:50	~~Nathan Pocock~~	New Issue
2012-06-05 18:01	Jim Luth	Note Added: 0003724
2012-06-05 18:01	Jim Luth	Project	10000-004: Services => Feature Requests
2012-07-17 17:34	Jim Luth	Status	new => acknowledged
2013-09-10 17:08	Jim Luth	Status	acknowledged => assigned
2013-09-10 17:08	Jim Luth	Assigned To	=> Matthias Damm
2013-09-10 17:08	Jim Luth	Project	Feature Requests => 10000-004: Services
2013-10-11 18:04	Matthias Damm	Status	assigned => resolved
2013-10-11 18:04	Matthias Damm	Resolution	open => fixed
2013-10-11 18:04	Matthias Damm	Note Added: 0005076
2013-12-03 17:14	Jim Luth	Status	resolved => closed
2013-12-03 17:14	Jim Luth	Note Added: 0005161
2013-12-03 17:14	Jim Luth	Fixed in Version	=> 1.02
2013-12-03 17:16	Jim Luth	Fixed in Version	1.02 => 1.03