View Issue Details

IDProjectCategoryView StatusLast Update
000205010000-004: Servicespublic2013-12-03 17:16
ReporterNathan PocockAssigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.03 
Summary0002050: Discovery 5.4.1 last paragraph - intent? and possible conflict of definition
Description

CMPWG 5/17/2012:

A paragraph added in spec version 1.02.14 requires the validation of the hostname specified in the serverCertificate is the same as the hostName contained in the endpointUrl of the endpointDescription.

Both the serverCertificate and endpointDescription are returned in GetEndpoints, so why would they be any different? Even from a security standpoint, this doesn't seem to accomplish much.

We wonder if the paragraph is incomplete, perhaps the intent is to correlate the FindServers response with the GetEndpoints response?

A possible conflict in definition exists too since this sentence starts with "A Client shall...." and yet the new paragaph in 5.4.3.1 states "The ApplicationInstanceCertificate is optional for Endpoints with Security Policy NONE." so how does the "shall" work now?

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Jim Luth

2012-06-05 18:01

administrator   ~0003724

we believe the spec is correct as written, but could use some more examples of the security threats these checks are trying to prevent.

Matthias Damm

2013-10-11 18:04

developer   ~0005076

Updated paragraph in 5.4 Discovery Service Set
A Client shall verify the HostName specified in the Server Certificate is the same as the HostName contained in the endpointUrl provided in the EndpointDescription and that is used to open a SecureChannel. If there is a difference then the Client shall report the difference and may choose to not open the SecureChannel.

Added also paragraph to 5.5.2 OpenSecureChannel
A Client shall verify the HostName specified in the Server Certificate is the same as the HostName contained in the endpointUrl that is used to open a SecureChannel. If there is a difference then the Client shall report the difference and may choose to not open the SecureChannel.

Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.07.doc

Jim Luth

2013-12-03 17:14

administrator   ~0005161

We reviewed and edited the text in the call and agreed on the final text.

Issue History

Date Modified Username Field Change
2012-05-17 18:50 Nathan Pocock New Issue
2012-06-05 18:01 Jim Luth Note Added: 0003724
2012-06-05 18:01 Jim Luth Project 10000-004: Services => Feature Requests
2012-07-17 17:34 Jim Luth Status new => acknowledged
2013-09-10 17:08 Jim Luth Status acknowledged => assigned
2013-09-10 17:08 Jim Luth Assigned To => Matthias Damm
2013-09-10 17:08 Jim Luth Project Feature Requests => 10000-004: Services
2013-10-11 18:04 Matthias Damm Status assigned => resolved
2013-10-11 18:04 Matthias Damm Resolution open => fixed
2013-10-11 18:04 Matthias Damm Note Added: 0005076
2013-12-03 17:14 Jim Luth Status resolved => closed
2013-12-03 17:14 Jim Luth Note Added: 0005161
2013-12-03 17:14 Jim Luth Fixed in Version => 1.02
2013-12-03 17:16 Jim Luth Fixed in Version 1.02 => 1.03