- From: Anish Karmarkar <Anish.Karmarkar@oracle.com>
- Date: Mon, 07 Mar 2005 11:00:58 -0800
- To: Mark Nottingham <mark.nottingham@bea.com>
- CC: Rich Salz <rsalz@datapower.com>, "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
Mark Nottingham wrote: > > RFC2617 allows a limited form of integrity protection on both requests > and responses; see sections 3.2.2 and 3.2.3, especially with regard to > the calculation of A2. While it's true that HTTP Digest authentication > doesn't provide for integrity protection on HTTP headers (it's very > messy), the Request-URI isn't a header, it's in the Request-Line. > > That said, I'm not aware of any implementations that support this. > Anybody else? > Apache has a mod_auth_digest (http://httpd.apache.org/docs-2.1/mod/mod_auth_digest.html) that implements HTTP digest auth, but this is an experimental module. > Also, SSL and TLS provide security for both HTTP headers and all of the > request line EXCEPT for the hostname and port. > > Cheers, > > > On Mar 4, 2005, at 7:46 AM, Rich Salz wrote: > >> >>> "underlying" protocol such as HTTP. Duplication has serious downsides, >>> but also some advantages, and may be a reasonable compromise in some >>> cases, perhaps this one. >> >> >> There is no way to get end-to-end security on HTTP headers. Put another >> way, while I can sign a wsa:To element, there is no way (at least not >> standard way; there might be a private shcme I don't know about) >> to sign the URL in the POST command. >> >> /r$ >> -- >> Rich Salz Chief Security Architect >> DataPower Technology http://www.datapower.com >> XS40 XML Security Gateway http://www.datapower.com/products/xs40.html >> >> >> > > -- > Mark Nottingham Principal Technologist > Office of the CTO BEA Systems > >
Received on Monday, 7 March 2005 19:02:27 UTC