W3C home > Mailing lists > Public > xml-dist-app@w3.org > September 2003

Re: Review - Web Services Security: SOAP Message Security (1 of 3)

From: Jean-Jacques Moreau <jean-jacques.moreau@crf.canon.fr>
Date: Thu, 25 Sep 2003 09:57:28 +0200
Message-ID: <3F729FE8.9030408@crf.canon.fr>
To: Marc Hadley <Marc.Hadley@Sun.COM>
Cc: xml-dist-app@w3.org

Great review! I have one comment only. JJ.

Marc Hadley wrote:

> *** 410 "The <wsse:Security> header block without a specified S:role  
> MAY be consumed by anyone, but MUST NOT be removed prior to the final  
> destination or endpoint." What does 'consumed' mean. SOAP 1.2 makes it  
> clear that SOAP headers without a role attribute are equivalent to  
> those with a role of  
> "http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver". In  
> both cases the ultimate receiver of the message is the target of the  
> header block.

An active intermediary could still consume the header block; this 
is part of the processing model. So, unless WSS includes a 
special header block to implement the above assertion, it cannot 
be fulfilled, I think.
Received on Thursday, 25 September 2003 03:57:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:15 GMT