- From: Rich Salz <rsalz@datapower.com>
- Date: Mon, 7 Mar 2005 20:17:56 -0500 (EST)
- To: "Rice, Ed \(HP.com\)" <ed.rice@hp.com>
- cc: "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
> I guess it depends on the content. Normally when you use a SOAP > intermediary you would have your SSL connection with the intermediary if > your concerned about the validity of the content. That way the > intermediary becomes a trusted source (and it in-turn would have to have > a trust relationship with the up-stream author of the content). That strikes me as turning an architectural limitation into a feature. If I sign my content, I don't have to trust a SOAP intermediary to do anything more than it's business. If that intermediary gets compromised, *my* content won't get screwed up. (Choicepoint, anyone?) You don't trust every router that might touch your TCP packets, do you? Of course not -- that's why you use SSL. Why is the SOAP situation any different? I want end-to-end security, not hop-by-hop. I'm not alone. :) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
Received on Tuesday, 8 March 2005 01:33:40 UTC