Re: Minutes of the Web Services Addressing / TAG joint meeting

On Mar 7, 2005, at 10:19 AM, Rich Salz wrote:

> Mark, you're correct that digest-auth protects the request-uri.  There 
> was an extended thread on digest-auth on the xml-dev list in Jan 04; 
> it turns out that digest is available more than I (or you) might 
> expect.

Sorry, I meant that I didn't know if qop=auth-int were widely 
implemented; then again, since you get integrity protection on the 
request-uri for free even with qop=auth, the bar is lower in this 
particular case. Digest auth in general is very widely supported (I use 
it every day ;)

> The drawbacks to it are
> 	Requires a shared secret between client and server; barring WS-Trust 
> or similar, this means "shared login password."  Ugh.
> 	Really only works with HTTP request-response MEP
> 	Doesn't fit into WS-Security

Yup.

>> Also, SSL and TLS provide security for both HTTP headers and all of 
>> the request line EXCEPT for the hostname and port.
>
> Yes, but since the server name must appear in the server's 
> certificate, this really comes down to just the port number.  Also, 
> SSL/TLS is hop-by-hop, not end-to-end.

Well, it's end-to-end for HTTP, but not for SOAP. </quibble>

Cheers,

--
Mark Nottingham   Principal Technologist
Office of the CTO   BEA Systems

Received on Monday, 7 March 2005 19:03:49 UTC