OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services

> We (Healthcare security geeks) agree. And part of the effort is to
> identify the residual risks associated with RESTful vs SOAP solution. It
> is only by exposing these explicitly that we will make progress. So, I
> implore you to help me itemize the problems associated with taking a
> well defined SOAP solution that leverages WS-Security and forcing a new
> interface to be built that is RESTful.

As I understand what you've subsequently described, I don't think there are
differences in risk because the security here is just mutual TLS. REST
actually works best when there is no security, or the security can be
confined to the HTTP (or TLS) layer. Seems like it's a pretty good fit here.

I don't think it's possible to itemize problems with WS-Security in general
because WS-Security is not a protocol with any real semantics. It's framing.
You need the protocol and the token content/semantics (including how they're
obtained, of course) before you can talk about risks.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]