W3C home > Mailing lists > Public > public-ws-addressing@w3.org > February 2006

Re: Encrytping WS-A headers

From: Michael McIntosh <mikemci@us.ibm.com>
Date: Thu, 23 Feb 2006 17:26:57 -0500
To: Arun Gupta <Arun.Gupta@Sun.COM>
Cc: public-ws-addressing@w3.org, public-ws-addressing-request@w3.org
Message-ID: <OF0DC29917.3BC0BAE4-ON8525711E.007B0B85-8525711E.007B4BBE@us.ibm.com>

public-ws-addressing-request@w3.org wrote on 02/23/2006 05:16:48 PM:

> 
> Section 7.0 [1] of SOAP Binding says:
> 
> -- cut here --
> WS-Addressing message addressing properties serialized as SOAP headers 
> (wsa:To, wsa:Action et al.) including those headers present as a result 
> of the [reference parameters] property should be integrity protected as 
> explained in Web Services Addressing 1.0 - Core[WS-Addressing-Core].
> -- cut here --
> 
> This does not restrict the sender of SOAP message to encrypt WS-A 
> headers. If wsa:To is to be usable for routing then WS-A headers (esp 
> wsa:To) must not be encrypted otherwise intermediaries wouldnt be able 
> to route it.

It could be that a sender might encrypt the header and allow the routing 
intermediary to decrypt it, right?

> I think WG should give some advice in the spec to that effect.
> 
> [1] 
> http://dev.w3.org/cvsweb/~checkout~/2004/ws/addressing/ws-addr-soap.
> html#securityconsiderations
> 
> Thanks,
> -Arun
> -- 
> got Web Services ?
> Download Java Web Services Developer Pack from
> http://java.sun.com/webservices
> 
Received on Thursday, 23 February 2006 22:27:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:11 GMT