On Mar 7, 2005, at 10:19 AM, Rich Salz wrote: > Mark, you're correct that digest-auth protects the request-uri. There > was an extended thread on digest-auth on the xml-dev list in Jan 04; > it turns out that digest is available more than I (or you) might > expect. Sorry, I meant that I didn't know if qop=auth-int were widely implemented; then again, since you get integrity protection on the request-uri for free even with qop=auth, the bar is lower in this particular case. Digest auth in general is very widely supported (I use it every day ;) > The drawbacks to it are > Requires a shared secret between client and server; barring WS-Trust > or similar, this means "shared login password." Ugh. > Really only works with HTTP request-response MEP > Doesn't fit into WS-Security Yup. >> Also, SSL and TLS provide security for both HTTP headers and all of >> the request line EXCEPT for the hostname and port. > > Yes, but since the server name must appear in the server's > certificate, this really comes down to just the port number. Also, > SSL/TLS is hop-by-hop, not end-to-end. Well, it's end-to-end for HTTP, but not for SOAP. </quibble> Cheers, -- Mark Nottingham Principal Technologist Office of the CTO BEA SystemsReceived on Monday, 7 March 2005 19:03:48 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:55:58 GMT