W3C home > Mailing lists > Public > www-tag@w3.org > March 2005

Re: Minutes of the Web Services Addressing / TAG joint meeting

From: Mark Nottingham <mark.nottingham@bea.com>
Date: Mon, 7 Mar 2005 11:03:26 -0800
Message-Id: <ec38f686af227a73658a4f5a1af48226@bea.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
To: Rich Salz <rsalz@datapower.com>


On Mar 7, 2005, at 10:19 AM, Rich Salz wrote:

> Mark, you're correct that digest-auth protects the request-uri.  There 
> was an extended thread on digest-auth on the xml-dev list in Jan 04; 
> it turns out that digest is available more than I (or you) might 
> expect.

Sorry, I meant that I didn't know if qop=auth-int were widely 
implemented; then again, since you get integrity protection on the 
request-uri for free even with qop=auth, the bar is lower in this 
particular case. Digest auth in general is very widely supported (I use 
it every day ;)

> The drawbacks to it are
> 	Requires a shared secret between client and server; barring WS-Trust 
> or similar, this means "shared login password."  Ugh.
> 	Really only works with HTTP request-response MEP
> 	Doesn't fit into WS-Security

Yup.

>> Also, SSL and TLS provide security for both HTTP headers and all of 
>> the request line EXCEPT for the hostname and port.
>
> Yes, but since the server name must appear in the server's 
> certificate, this really comes down to just the port number.  Also, 
> SSL/TLS is hop-by-hop, not end-to-end.

Well, it's end-to-end for HTTP, but not for SOAP. </quibble>

Cheers,

--
Mark Nottingham   Principal Technologist
Office of the CTO   BEA Systems
Received on Monday, 7 March 2005 19:03:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:33 GMT