Re: Minutes of the Web Services Addressing / TAG joint meeting

Mark Nottingham wrote:
> 
> RFC2617 allows a limited form of integrity protection on both requests 
> and responses; see sections 3.2.2 and 3.2.3, especially with regard to 
> the calculation of A2. While it's true that HTTP Digest authentication 
> doesn't provide for integrity protection on HTTP headers (it's very 
> messy), the Request-URI isn't a header, it's in the Request-Line.
> 
> That said, I'm not aware of any implementations that support this. 
> Anybody else?
> 

Apache has a mod_auth_digest 
(http://httpd.apache.org/docs-2.1/mod/mod_auth_digest.html) that 
implements HTTP digest auth, but this is an experimental module.


> Also, SSL and TLS provide security for both HTTP headers and all of the 
> request line EXCEPT for the hostname and port.
> 
> Cheers,
> 
> 
> On Mar 4, 2005, at 7:46 AM, Rich Salz wrote:
> 
>>
>>> "underlying" protocol such as HTTP.  Duplication has serious downsides,
>>> but also some advantages, and may be a reasonable compromise in some
>>> cases, perhaps this one.
>>
>>
>> There is no way to get end-to-end security on HTTP headers.  Put another
>> way, while I can sign a wsa:To element, there is no way (at least not
>> standard way; there might be a private shcme I don't know about)
>> to sign the URL in the POST command.
>>
>>     /r$
>> -- 
>> Rich Salz                  Chief Security Architect
>> DataPower Technology       http://www.datapower.com
>> XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
>>
>>
>>
> 
> -- 
> Mark Nottingham   Principal Technologist
> Office of the CTO   BEA Systems
> 
> 

Received on Monday, 7 March 2005 19:02:27 UTC