Re: SOAP headers for xmldsig and xenc from Martin Gudgin on 2002-04-03 (xml-dist-app@w3.org from April 2002)

From: Martin Gudgin <marting@develop.com>
Date: Wed, 3 Apr 2002 20:03:21 +0100
To: <reagle@w3.org>, "'www-xenc-xmlp-tf'" <www-xenc-xmlp-tf@w3.org>, "'xml-dist-app'" <xml-dist-app@w3.org>
Cc: "David Orchard" <dorchard@bea.com>, "Takeshi Imamura" <IMAMU@jp.ibm.com>, "Maryann Hondo" <mhondo@us.ibm.com>
Message-ID: <023e01c1db42$3b4c1190$b47ba8c0@zerogravitas>

Joseph,

Thanks for the pointers. I notice that one thing missing under 'Security
Considerations' in [1] is 'What happens if someone just removes the header?'
Seems to me that this is a significant problem. One way to solve it would be
to encrypt all the messages but that's relatively expensive.

Martin

----- Original Message -----
From: "Joseph Reagle" <reagle@w3.org>
To: "'www-xenc-xmlp-tf'" <www-xenc-xmlp-tf@w3.org>; "'xml-dist-app'"
<xml-dist-app@w3.org>
Cc: "David Orchard" <dorchard@bea.com>; "Takeshi Imamura"
<IMAMU@jp.ibm.com>; "Maryann Hondo" <mhondo@us.ibm.com>
Sent: Wednesday, April 03, 2002 7:36 PM
Subject: SOAP headers for xmldsig and xenc


>
> There's a long standing demand for SOAP headers that can be used with
> xlmdsig and xenc. The work shouldn't be hard. We already have proposals:
on
> the xmldsig side we have [1], on xenc we have [2]. What we don't have yet
> is a quorum, a namespace, nor a formal chartered process. However, *if*
> someone was willing to volunteer to author such a document:
>
> 1. We have the following list with some of the interested folks on it. It
> should be used for discussion and convergence on a document.
>   www-xenc-xmlp-tf@w3.org
> 2. I'm confident I could get the proposal a stable namespace.
> 3. Process wise, such an activity might get picked up somewhere, sometime,
> (I favor as part of the Web Services Activity...) but there's no reason to
> wait for that. If there's a document in hand, then when some
(re)chartering
> is at hand, it makes it all that much easier to add it as a deliverable.
>
> If you're interested, let me know. I won't continue this discussion on
xenc
> or dist-app, if you are interested, join www-xenc-xmlp-tf [3].
>
> [1] http://www.w3.org/TR/SOAP-dsig/
> [2] http://lists.w3.org/Archives/Public/www-xenc-xmlp-tf/2001Dec/0001.html
> [3] Subject: subscribe to www-xenc-xmlp-tf-request@w3.org .
> --
>
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>

Received on Wednesday, 3 April 2002 14:02:18 UTC