Re: SOAP headers for xmldsig and xenc


Thanks for the pointers. I notice that one thing missing under 'Security
Considerations' in [1] is 'What happens if someone just removes the header?'
Seems to me that this is a significant problem. One way to solve it would be
to encrypt all the messages but that's relatively expensive.


----- Original Message -----
From: "Joseph Reagle" <>
To: "'www-xenc-xmlp-tf'" <>; "'xml-dist-app'"
Cc: "David Orchard" <>; "Takeshi Imamura"
<>; "Maryann Hondo" <>
Sent: Wednesday, April 03, 2002 7:36 PM
Subject: SOAP headers for xmldsig and xenc

> There's a long standing demand for SOAP headers that can be used with
> xlmdsig and xenc. The work shouldn't be hard. We already have proposals:
> the xmldsig side we have [1], on xenc we have [2]. What we don't have yet
> is a quorum, a namespace, nor a formal chartered process. However, *if*
> someone was willing to volunteer to author such a document:
> 1. We have the following list with some of the interested folks on it. It
> should be used for discussion and convergence on a document.
> 2. I'm confident I could get the proposal a stable namespace.
> 3. Process wise, such an activity might get picked up somewhere, sometime,
> (I favor as part of the Web Services Activity...) but there's no reason to
> wait for that. If there's a document in hand, then when some
> is at hand, it makes it all that much easier to add it as a deliverable.
> If you're interested, let me know. I won't continue this discussion on
> or dist-app, if you are interested, join www-xenc-xmlp-tf [3].
> [1]
> [2]
> [3] Subject: subscribe to .
> --
> Joseph Reagle Jr.       
> W3C Policy Analyst      
> IETF/W3C XML-Signature Co-Chair
> W3C XML Encryption Chair

Received on Wednesday, 3 April 2002 14:02:17 UTC