- From: Rich Salz <rsalz@datapower.com>
- Date: Tue, 08 Feb 2005 14:26:29 -0500
- To: Mark Baker <distobj@acm.org>
- CC: public-ws-addressing@w3.org
>>A significant problem with putting wsa:To as the request-URI is that >>end-to-end content protection and integrity (signing and encryption) >>is lost. > > I wouldn't say it's lost, I'd just say that it's changed. What spec shows how to sign the request-uri? And encrypt it? As far as I know, all we have right now it hop-by-hop using SSL/TLS. > A SOAP based encryption mechanism would still protect the *content* > of the message, just not the protocol metadata like operation and > address. That would be left for the protocol. I personally think > this is a much better layered solution in the general case. If I lose the ability to protect the operation and target URL then the solution sucks. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
Received on Tuesday, 8 February 2005 19:25:36 UTC