RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting

> I guess it depends on the content.  Normally when you use a SOAP
> intermediary you would have your SSL connection with the intermediary if
> your concerned about the validity of the content.  That way the
> intermediary becomes a trusted source (and it in-turn would have to have
> a trust relationship with the up-stream author of the content).

That strikes me as turning an architectural limitation into a feature.
If I sign my content, I don't have to trust a SOAP intermediary to do
anything more than it's business.  If that intermediary gets
compromised, *my* content won't get screwed up.  (Choicepoint, anyone?)

You don't trust every router that might touch your TCP packets, do you?
Of course not -- that's why you use SSL.  Why is the SOAP situation
any different?

I want end-to-end security, not hop-by-hop.  I'm not alone. :)
        /r$

-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

Received on Tuesday, 8 March 2005 01:33:40 UTC