- From: Rich Salz <rsalz@datapower.com>
- Date: Mon, 07 Mar 2005 13:19:26 -0500
- To: Mark Nottingham <mark.nottingham@bea.com>
- CC: "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
Mark, you're correct that digest-auth protects the request-uri. There was an extended thread on digest-auth on the xml-dev list in Jan 04; it turns out that digest is available more than I (or you) might expect. The drawbacks to it are Requires a shared secret between client and server; barring WS-Trust or similar, this means "shared login password." Ugh. Really only works with HTTP request-response MEP Doesn't fit into WS-Security > Also, SSL and TLS provide security for both HTTP headers and all of the > request line EXCEPT for the hostname and port. Yes, but since the server name must appear in the server's certificate, this really comes down to just the port number. Also, SSL/TLS is hop-by-hop, not end-to-end. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
Received on Monday, 7 March 2005 18:18:28 UTC