RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting

I think your mixing your types of transfers (mixed metaphors).

A SOAP transfer using SSL is the same as any SSL transfer, you still
don't 'trust' the routers and the package transfer through securely.
What I 'Believe' your talking about with a SOAP intermediary is another
company or process that sits between the sender and the receiver who may
open the package, read the package and then route it appropriately (not
sure if your suggesting they should also be able to add content).

Clearly, this is an issue if you're looking for end-to-end security if
your going to use SOAP.  This type of security would require that the
entire SOAP package be encoded or that 'parts' or the soap package would
be encoded so that you could tell what had changed and what wouldn't.  

This is less a limitation of SOAP than a limitation of XML. 

-Ed





-----Original Message-----
From: Paul Cotton [mailto:pcotton@microsoft.com] 
Sent: Monday, March 07, 2005 5:33 PM
To: Rich Salz; Rice, Ed (HP.com)
Cc: public-ws-addressing@w3.org; www-tag@w3.org
Subject: RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol --
HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting

> I want end-to-end security, not hop-by-hop.  I'm not alone. :)

+1

Paul Cotton, Microsoft Canada 
17 Eleanor Drive, Nepean, Ontario K2E 6A3 
Tel: (613) 225-5445 Fax: (425) 936-7329 
mailto:pcotton@microsoft.com

  

> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
Of
> Rich Salz
> Sent: March 7, 2005 8:18 PM
> To: Rice, Ed (HP.com)
> Cc: public-ws-addressing@w3.org; www-tag@w3.org
> Subject: RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol --
> HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting
> 
> 
> > I guess it depends on the content.  Normally when you use a SOAP
> > intermediary you would have your SSL connection with the
intermediary if
> > your concerned about the validity of the content.  That way the
> > intermediary becomes a trusted source (and it in-turn would have to
have
> > a trust relationship with the up-stream author of the content).
> 
> That strikes me as turning an architectural limitation into a feature.
> If I sign my content, I don't have to trust a SOAP intermediary to do
> anything more than it's business.  If that intermediary gets
> compromised, *my* content won't get screwed up.  (Choicepoint,
anyone?)
> 
> You don't trust every router that might touch your TCP packets, do
you?
> Of course not -- that's why you use SSL.  Why is the SOAP situation
> any different?
> 
> I want end-to-end security, not hop-by-hop.  I'm not alone. :)
>         /r$
> 
> --
> Rich Salz                  Chief Security Architect
> DataPower Technology       http://www.datapower.com
> XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
> 

Received on Monday, 14 March 2005 10:38:00 UTC