W3C home > Mailing lists > Public > xml-dist-app@w3.org > January 2002

Re: Draft registration of application/soap+xml

From: Rich Salz <rsalz@zolera.com>
Date: Fri, 04 Jan 2002 12:31:04 -0500
Message-ID: <3C35E6D8.3070602@zolera.com>
To: Mark Baker <distobj@acm.org>
CC: xml-dist-app@w3.org
I don't think it's necessary to get into the whole tunneled thing here. 
It is simpler (and less controversial) to say that the message may avail 
itself of underlying transport-level security, and/or that XML features 
such as DSIG and XMLENC may be used to provide soap-level security features.

>   The SOAP processing model itself is entirely innocuous from a security
>   perspective.

I don't think so, since it doesn't seem feasible to encrypt the actor 
and mustUnderstand values.  If a message is intended to go A->B->C->D 
but encrypted so only B knows the C-uri, then an adversary could 
redirect the message from B directly to D.
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
Received on Friday, 4 January 2002 12:32:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:11:45 UTC