W3C home > Mailing lists > Public > www-tag@w3.org > March 2005

Re: Minutes of the Web Services Addressing / TAG joint meeting

From: Mark Nottingham <mark.nottingham@bea.com>
Date: Mon, 7 Mar 2005 09:50:01 -0800
Message-Id: <36fe4fc79ebdf2f55e7973b3d0d8d7e7@bea.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
To: Rich Salz <rsalz@datapower.com>

RFC2617 allows a limited form of integrity protection on both requests 
and responses; see sections 3.2.2 and 3.2.3, especially with regard to 
the calculation of A2. While it's true that HTTP Digest authentication 
doesn't provide for integrity protection on HTTP headers (it's very 
messy), the Request-URI isn't a header, it's in the Request-Line.

That said, I'm not aware of any implementations that support this. 
Anybody else?

Also, SSL and TLS provide security for both HTTP headers and all of the 
request line EXCEPT for the hostname and port.

Cheers,


On Mar 4, 2005, at 7:46 AM, Rich Salz wrote:

>
>> "underlying" protocol such as HTTP.  Duplication has serious 
>> downsides,
>> but also some advantages, and may be a reasonable compromise in some
>> cases, perhaps this one.
>
> There is no way to get end-to-end security on HTTP headers.  Put 
> another
> way, while I can sign a wsa:To element, there is no way (at least not
> standard way; there might be a private shcme I don't know about)
> to sign the URL in the POST command.
>
> 	/r$
> -- 
> Rich Salz                  Chief Security Architect
> DataPower Technology       http://www.datapower.com
> XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
>
>
>

--
Mark Nottingham   Principal Technologist
Office of the CTO   BEA Systems
Received on Monday, 7 March 2005 17:50:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:33 GMT