- From: Rice, Ed (HP.com) <ed.rice@hp.com>
- Date: Mon, 14 Mar 2005 02:37:58 -0800
- To: "Paul Cotton" <pcotton@microsoft.com>, "Rich Salz" <rsalz@datapower.com>
- Cc: <public-ws-addressing@w3.org>, <www-tag@w3.org>
I think your mixing your types of transfers (mixed metaphors). A SOAP transfer using SSL is the same as any SSL transfer, you still don't 'trust' the routers and the package transfer through securely. What I 'Believe' your talking about with a SOAP intermediary is another company or process that sits between the sender and the receiver who may open the package, read the package and then route it appropriately (not sure if your suggesting they should also be able to add content). Clearly, this is an issue if you're looking for end-to-end security if your going to use SOAP. This type of security would require that the entire SOAP package be encoded or that 'parts' or the soap package would be encoded so that you could tell what had changed and what wouldn't. This is less a limitation of SOAP than a limitation of XML. -Ed -----Original Message----- From: Paul Cotton [mailto:pcotton@microsoft.com] Sent: Monday, March 07, 2005 5:33 PM To: Rich Salz; Rice, Ed (HP.com) Cc: public-ws-addressing@w3.org; www-tag@w3.org Subject: RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting > I want end-to-end security, not hop-by-hop. I'm not alone. :) +1 Paul Cotton, Microsoft Canada 17 Eleanor Drive, Nepean, Ontario K2E 6A3 Tel: (613) 225-5445 Fax: (425) 936-7329 mailto:pcotton@microsoft.com > -----Original Message----- > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of > Rich Salz > Sent: March 7, 2005 8:18 PM > To: Rice, Ed (HP.com) > Cc: public-ws-addressing@w3.org; www-tag@w3.org > Subject: RE: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- > HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting > > > > I guess it depends on the content. Normally when you use a SOAP > > intermediary you would have your SSL connection with the intermediary if > > your concerned about the validity of the content. That way the > > intermediary becomes a trusted source (and it in-turn would have to have > > a trust relationship with the up-stream author of the content). > > That strikes me as turning an architectural limitation into a feature. > If I sign my content, I don't have to trust a SOAP intermediary to do > anything more than it's business. If that intermediary gets > compromised, *my* content won't get screwed up. (Choicepoint, anyone?) > > You don't trust every router that might touch your TCP packets, do you? > Of course not -- that's why you use SSL. Why is the SOAP situation > any different? > > I want end-to-end security, not hop-by-hop. I'm not alone. :) > /r$ > > -- > Rich Salz Chief Security Architect > DataPower Technology http://www.datapower.com > XS40 XML Security Gateway http://www.datapower.com/products/xs40.html >
Received on Monday, 14 March 2005 10:38:00 UTC