RE: Encrytping WS-A headers

It could also be that the actual encryption itself is handed over to an
intermediary which does this kind of task for all the soap processors. This
is most likely case especially after the message has been enriched with
private data. 

The key issue IMHO is that; Are we are asking for integrity protection on a
hop by hop basis or end to end basis? That clarification might be something
this WG should consider adding. 

Vikas


-----Original Message-----
From: public-ws-addressing-request@w3.org
[mailto:public-ws-addressing-request@w3.org] On Behalf Of Michael McIntosh
Sent: Thursday, February 23, 2006 2:27 PM
To: Arun Gupta
Cc: public-ws-addressing@w3.org; public-ws-addressing-request@w3.org
Subject: Re: Encrytping WS-A headers


public-ws-addressing-request@w3.org wrote on 02/23/2006 05:16:48 PM:

> 
> Section 7.0 [1] of SOAP Binding says:
> 
> -- cut here --
> WS-Addressing message addressing properties serialized as SOAP headers 
> (wsa:To, wsa:Action et al.) including those headers present as a result 
> of the [reference parameters] property should be integrity protected as 
> explained in Web Services Addressing 1.0 - Core[WS-Addressing-Core].
> -- cut here --
> 
> This does not restrict the sender of SOAP message to encrypt WS-A 
> headers. If wsa:To is to be usable for routing then WS-A headers (esp 
> wsa:To) must not be encrypted otherwise intermediaries wouldnt be able 
> to route it.

It could be that a sender might encrypt the header and allow the routing 
intermediary to decrypt it, right?

> I think WG should give some advice in the spec to that effect.
> 
> [1] 
> http://dev.w3.org/cvsweb/~checkout~/2004/ws/addressing/ws-addr-soap.
> html#securityconsiderations
> 
> Thanks,
> -Arun
> -- 
> got Web Services ?
> Download Java Web Services Developer Pack from
> http://java.sun.com/webservices
>

Received on Friday, 24 February 2006 00:44:01 UTC