[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [wsrp-wsia] [change request #40] Is Consumer-Producercommunication secure?
I understand Eric's comment such that we should not add such a flag as it
is inherently unverifiable. I agree to this.
Best regards
Carsten Leue
-------
Dr. Carsten Leue
Dept.8288, IBM Laboratory Böblingen , Germany
Tel.: +49-7031-16-4603, Fax: +49-7031-16-4401
Rich
Thompson/Watson/I
BM@IBMUS To
wsrp-wsia@lists.oasis-open.org
01/24/2003 04:28 cc
PM
Subject
[wsrp-wsia] [change request #40] Is
Consumer-Producer communication
secure?
Document: Spec & wsdl
Section: 6.1.2
Page/Line: 30/27
Requestedby: Michael Freedman
Old text:
Proposed text: add a secureConsumerCommunication boolean field
Reasoning: How does a Producer determine they were called via a secure
channel? I.e. does JAX-RPC and other webstacks provide the equivalent of
an isSecure() call or do we have to pass this information?
[Eric VanLydegraf] This is always a problematic area, the security
infrastructure should provide the security context, aka the transport is
the only one that really knows, having anybody state the security setting
is unverifiable information which defeats itself as far as security is
concerned. The isSecure() is a good example of the infrastructure
providing the information, as it does know exactly how the request was
received. The web stacks will have to do the same thing or some other
network or sofware infrastructure will have to enfoce the security
requirements, because by the time the SOAP endpoint hands off the request
it is too late.
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC