RE: New draft TAG finding - Passwords in the Clear

Ed Rice writes:

> I had assumed that since SOAP uses HTTP and HTTPS that the 
> relationship was implied. 

I hope it's clear that Web Services only sometimes uses SOAP + HTTPS as 
its security mechanism.  HTTPS is fine, if used carefully, for the one hop 
connection-level security that it provides.  I think Paul is pointing out 
that Web Services Security provides complementary mechanisms that secure 
messages at a higher level, and that perhaps these should be considered 
for at least a brief mention as a point of comparison.


Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142

Received on Saturday, 7 October 2006 03:05:45 UTC