> What I don't understand is why you think that just because WS-A includes > as part of its > processing model the echoing of EPR props/params as SOAP headers that > makes it somehow special with regards > to the security model and its application to outbound messages. Because it just is. Honest, it really is. Don't think of it as echoing, think of it as promotion. No other generic composible specification does this. Every other spec makes it clear, through standard use of XML, what it is. Therefore it is easy to express a security policy, implement it, and verify it. Since addressing information is now put as header elements that are indistinguishable from any other header elements, then you cannot reliably secure them, you cannot express a policy that says how they should be secured, and even if you could, the set of headers to be affected not only varies per-message-type, but per message instance. IT makes it *much* harder to provide end-to-send security of message headers. Without close coupling and clumsy policy expression, it's impossible. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.htmlReceived on Thursday, 25 November 2004 00:10:01 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:00 GMT