- From: Rich Salz <rsalz@zolera.com>
- Date: Fri, 04 Jan 2002 14:39:14 -0500
- To: Mark Baker <distobj@acm.org>
- CC: xml-dist-app@w3.org
>>It is simpler (and less controversial) to say that the message may avail >>itself of underlying transport-level security, and/or that XML features >>such as DSIG and XMLENC may be used to provide soap-level security features. > > But that's not true. You can sign and encrypt RPC methods as much as > you like, but that won't make them secure. Please explain. I've been involved in the security area for awhile, and I just don't understand your point. Isn't signed/encrypted soap messages over HTTP the exact same thing as SMIME over SMTP? > That's an interesting point, but the processing model doesn't specify > how to route, only how to target. A recipient receiving a message with an encrypted actor and/or mustUnderstand cannot properly send a SOAP "actor" fault back, since (obviously) it doesn't know who the actor was. :) I believe this impacts the processing model. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com
Received on Friday, 4 January 2002 14:39:43 UTC