W3C home > Mailing lists > Public > www-tag@w3.org > March 2005

Re: Minutes of the Web Services Addressing / TAG joint meeting

From: Anish Karmarkar <Anish.Karmarkar@oracle.com>
Date: Mon, 07 Mar 2005 11:00:58 -0800
Message-ID: <422CA4EA.1060008@oracle.com>
To: Mark Nottingham <mark.nottingham@bea.com>
CC: Rich Salz <rsalz@datapower.com>, "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>

Mark Nottingham wrote:
> 
> RFC2617 allows a limited form of integrity protection on both requests 
> and responses; see sections 3.2.2 and 3.2.3, especially with regard to 
> the calculation of A2. While it's true that HTTP Digest authentication 
> doesn't provide for integrity protection on HTTP headers (it's very 
> messy), the Request-URI isn't a header, it's in the Request-Line.
> 
> That said, I'm not aware of any implementations that support this. 
> Anybody else?
> 

Apache has a mod_auth_digest 
(http://httpd.apache.org/docs-2.1/mod/mod_auth_digest.html) that 
implements HTTP digest auth, but this is an experimental module.


> Also, SSL and TLS provide security for both HTTP headers and all of the 
> request line EXCEPT for the hostname and port.
> 
> Cheers,
> 
> 
> On Mar 4, 2005, at 7:46 AM, Rich Salz wrote:
> 
>>
>>> "underlying" protocol such as HTTP.  Duplication has serious downsides,
>>> but also some advantages, and may be a reasonable compromise in some
>>> cases, perhaps this one.
>>
>>
>> There is no way to get end-to-end security on HTTP headers.  Put another
>> way, while I can sign a wsa:To element, there is no way (at least not
>> standard way; there might be a private shcme I don't know about)
>> to sign the URL in the POST command.
>>
>>     /r$
>> -- 
>> Rich Salz                  Chief Security Architect
>> DataPower Technology       http://www.datapower.com
>> XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
>>
>>
>>
> 
> -- 
> Mark Nottingham   Principal Technologist
> Office of the CTO   BEA Systems
> 
> 
Received on Monday, 7 March 2005 19:02:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:33 GMT