- From: David Hull <dmh@tibco.com>
- Date: Thu, 09 Jun 2005 19:34:06 +0200
- To: Rich Salz <rsalz@datapower.com>
- Cc: public-ws-async-tf@w3.org
Rich Salz wrote: >> * Traffic is meant to be secured. In this case, the empty 2xx >> marker reveals information (namely that there was no fault), while >> an encrypted SOAP message response doesn't. > > > This only if the encrypted SOAP message is roughly the same length as > fault message. I think the right answer to address this concern is > SSL/TLS, which probably obscures the plaintext size enough to thwart > this kind of traffic analysis. > > /r$ > I mostly agree. On the other hand, we are offering WS-Security as its own layer, and it's certainly possible to specify an encryption algorithm that adds arbitrary amounts of padding. Really just a matter of finding the right wrench to pound the screw in question.
Received on Thursday, 9 June 2005 17:34:40 UTC