W3C home > Mailing lists > Public > xml-dist-app@w3.org > January 2002

Re: Draft registration of application/soap+xml

From: Rich Salz <rsalz@zolera.com>
Date: Fri, 04 Jan 2002 14:39:14 -0500
Message-ID: <3C3604E2.8070004@zolera.com>
To: Mark Baker <distobj@acm.org>
CC: xml-dist-app@w3.org
>>It is simpler (and less controversial) to say that the message may avail 
>>itself of underlying transport-level security, and/or that XML features 
>>such as DSIG and XMLENC may be used to provide soap-level security features.
>
> But that's not true.  You can sign and encrypt RPC methods as much as
> you like, but that won't make them secure.


Please explain.  I've been involved in the security area for awhile, and 
I just don't understand your point.  Isn't signed/encrypted soap 
messages over HTTP the exact same thing as SMIME over SMTP?

> That's an interesting point, but the processing model doesn't specify
> how to route, only how to target.


A recipient receiving a message with an encrypted actor and/or 
mustUnderstand cannot properly send a SOAP "actor" fault back, since 
(obviously) it doesn't know who the actor was. :)  I believe this 
impacts the processing model.

	/r$

-- 
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
Received on Friday, 4 January 2002 14:39:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:05 GMT