W3C home > Mailing lists > Public > xml-dist-app@w3.org > January 2002

Re: Draft registration of application/soap+xml

From: Rich Salz <rsalz@zolera.com>
Date: Fri, 04 Jan 2002 12:31:04 -0500
Message-ID: <3C35E6D8.3070602@zolera.com>
To: Mark Baker <distobj@acm.org>
CC: xml-dist-app@w3.org
I don't think it's necessary to get into the whole tunneled thing here. 
It is simpler (and less controversial) to say that the message may avail 
itself of underlying transport-level security, and/or that XML features 
such as DSIG and XMLENC may be used to provide soap-level security features.


>   The SOAP processing model itself is entirely innocuous from a security
>   perspective.


I don't think so, since it doesn't seem feasible to encrypt the actor 
and mustUnderstand values.  If a message is intended to go A->B->C->D 
but encrypted so only B knows the C-uri, then an adversary could 
redirect the message from B directly to D.
	/r$
-- 
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
Received on Friday, 4 January 2002 12:32:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:05 GMT