- From: Jonathan Marsh <jmarsh@microsoft.com>
- Date: Mon, 3 Jan 2005 11:13:50 -0800
- To: "Rich Salz" <rsalz@datapower.com>
- Cc: <public-ws-addressing@w3.org>
Like I said, I'm not a security expert, but I'm not aware of anything in WSS that implies that all security features must be expressed through WSS. Do you have a reference to the part of WSS that you're concerned about? Expanding on my earlier post, to statelessly secure a refP against modification, one could: - insert within the refP itself the security measures such as a DSig that enable the service to verify that the refP hasn't been changed since issued, or - insert a second refP containing security measures and pointing to the header (or headers) to be secured. This is similar to statelessly securing HTTP cookies. The cookie transfer mechanism is defined in a general spec but how cookies ensure clients don't modify their contents is out-of-scope. Just as you don't use TLS to prevent clients from altering cookies you don't use WSS to prevent clients from altering headers. ID attribute collisions seem indeed to be a problem, regardless of whether refPs are wrapped or not - this is a general problem when combining chunks of XML. We should look at this more closely, but on a practical level I might try to make sure any ID values I stuck in my refPs were unlikely to cause conflicts, e.g. something like an embedded GUID value xml:id="guid-1234-1234-1234-12345678". > -----Original Message----- > From: Rich Salz [mailto:rsalz@datapower.com] > Sent: Thursday, December 23, 2004 1:36 PM > To: Jonathan Marsh > Cc: tom@coastin.com; Srinivas, Davanum M; public-ws-addressing@w3.org > Subject: Re: Problems with the SOAP binding > > > Um, wouldn't the wrapped problem "solve" this by hiding the security > > stuff in a place where the SOAP security processor can't find it? > > That's the $10,000 question. Is the intent of WS-Security that all > signature functions related to securing the SOAP message be part of > the > WSS header? If so, problems. If not, then a wrapper works. > > Still got the ID attribute issue, tho. > > > /r$ > > -- > Rich Salz, Chief Security Architect > DataPower Technology > http://www.datapower.com > XS40 XML Security Gateway > http://www.datapower.com/products/xs40.html > XML Security Overview > http://www.datapower.com/xmldev/xmlsecurity.html
Received on Monday, 3 January 2005 19:14:39 UTC