Re: Minutes of the Web Services Addressing / TAG joint meeting

Mark, you're correct that digest-auth protects the request-uri.  There 
was an extended thread on digest-auth on the xml-dev list in Jan 04; it 
turns out that digest is available more than I (or you) might expect.

The drawbacks to it are
	Requires a shared secret between client and server; barring WS-Trust or 
similar, this means "shared login password."  Ugh.
	Really only works with HTTP request-response MEP
	Doesn't fit into WS-Security

> Also, SSL and TLS provide security for both HTTP headers and all of the 
> request line EXCEPT for the hostname and port.

Yes, but since the server name must appear in the server's certificate, 
this really comes down to just the port number.  Also, SSL/TLS is 
hop-by-hop, not end-to-end.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html

Received on Monday, 7 March 2005 18:18:23 UTC