- From: Mark Nottingham <mark.nottingham@bea.com>
- Date: Mon, 7 Mar 2005 11:03:26 -0800
- To: Rich Salz <rsalz@datapower.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
On Mar 7, 2005, at 10:19 AM, Rich Salz wrote: > Mark, you're correct that digest-auth protects the request-uri. There > was an extended thread on digest-auth on the xml-dev list in Jan 04; > it turns out that digest is available more than I (or you) might > expect. Sorry, I meant that I didn't know if qop=auth-int were widely implemented; then again, since you get integrity protection on the request-uri for free even with qop=auth, the bar is lower in this particular case. Digest auth in general is very widely supported (I use it every day ;) > The drawbacks to it are > Requires a shared secret between client and server; barring WS-Trust > or similar, this means "shared login password." Ugh. > Really only works with HTTP request-response MEP > Doesn't fit into WS-Security Yup. >> Also, SSL and TLS provide security for both HTTP headers and all of >> the request line EXCEPT for the hostname and port. > > Yes, but since the server name must appear in the server's > certificate, this really comes down to just the port number. Also, > SSL/TLS is hop-by-hop, not end-to-end. Well, it's end-to-end for HTTP, but not for SOAP. </quibble> Cheers, -- Mark Nottingham Principal Technologist Office of the CTO BEA Systems
Received on Monday, 7 March 2005 19:03:48 UTC