W3C home > Mailing lists > Public > www-ws@w3.org > March 2005

Re: SSL not secure for WS??

From: Anish Karmarkar <Anish.Karmarkar@oracle.com>
Date: Fri, 04 Mar 2005 10:50:04 -0800
Message-ID: <4228ADDC.9070805@oracle.com>
To: daniela.claro@eseo.fr
CC: www-ws@w3.org

I think making a general statement that 'SSL is not secure for web 
services' is not quite accurate. There are certain deployments/usage of 
Web services (which perhaps may be quite common) where SSL does not fit 
the bill.

SSL being point-to-point provides security at the connection level, but 
does not provide end-to-end security.

Consider a message that traverses several hops (which use the same or 
different transport). In such a case SSL does not provide you with 
message integrity.
Another example is: the payload of the message is stored in a queue and 
processed at some later point in time.

WRT to intermediaries there can be transport intermediaries or SOAP 
intermediaries [1].

HTH.

-Anish
--

[1] http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#relaysoapmsg

Daniela CLARO wrote:
> Hi all,
>  
>  Could anyone please explain me, why SSL is not secure for web services? 
> Moreover, what is exactly the "intermediaries" that could exist between 
> a web service connection that SSL can not garantee tthe security anymore?
>  
>  
> Thank you very much,
> Daniela
Received on Friday, 4 March 2005 18:55:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:48 GMT