W3C home > Mailing lists > Public > www-tag@w3.org > March 2005

RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting

From: Rich Salz <rsalz@datapower.com>
Date: Mon, 7 Mar 2005 20:17:56 -0500 (EST)
To: "Rice, Ed \(HP.com\)" <ed.rice@hp.com>
cc: "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <Pine.LNX.4.44L0.0503072012190.21547-100000@smtp.datapower.com>

> I guess it depends on the content.  Normally when you use a SOAP
> intermediary you would have your SSL connection with the intermediary if
> your concerned about the validity of the content.  That way the
> intermediary becomes a trusted source (and it in-turn would have to have
> a trust relationship with the up-stream author of the content).

That strikes me as turning an architectural limitation into a feature.
If I sign my content, I don't have to trust a SOAP intermediary to do
anything more than it's business.  If that intermediary gets
compromised, *my* content won't get screwed up.  (Choicepoint, anyone?)

You don't trust every router that might touch your TCP packets, do you?
Of course not -- that's why you use SSL.  Why is the SOAP situation
any different?

I want end-to-end security, not hop-by-hop.  I'm not alone. :)
        /r$

-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
Received on Tuesday, 8 March 2005 01:18:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:33 GMT