- From: Mark Nottingham <mark.nottingham@bea.com>
- Date: Mon, 7 Mar 2005 09:50:01 -0800
- To: Rich Salz <rsalz@datapower.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
RFC2617 allows a limited form of integrity protection on both requests and responses; see sections 3.2.2 and 3.2.3, especially with regard to the calculation of A2. While it's true that HTTP Digest authentication doesn't provide for integrity protection on HTTP headers (it's very messy), the Request-URI isn't a header, it's in the Request-Line. That said, I'm not aware of any implementations that support this. Anybody else? Also, SSL and TLS provide security for both HTTP headers and all of the request line EXCEPT for the hostname and port. Cheers, On Mar 4, 2005, at 7:46 AM, Rich Salz wrote: > >> "underlying" protocol such as HTTP. Duplication has serious >> downsides, >> but also some advantages, and may be a reasonable compromise in some >> cases, perhaps this one. > > There is no way to get end-to-end security on HTTP headers. Put > another > way, while I can sign a wsa:To element, there is no way (at least not > standard way; there might be a private shcme I don't know about) > to sign the URL in the POST command. > > /r$ > -- > Rich Salz Chief Security Architect > DataPower Technology http://www.datapower.com > XS40 XML Security Gateway http://www.datapower.com/products/xs40.html > > > -- Mark Nottingham Principal Technologist Office of the CTO BEA Systems
Received on Monday, 7 March 2005 17:50:31 UTC