[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services
> We (Healthcare security geeks) agree. And part of the effort is to > identify the residual risks associated with RESTful vs SOAP solution. It > is only by exposing these explicitly that we will make progress. So, I > implore you to help me itemize the problems associated with taking a > well defined SOAP solution that leverages WS-Security and forcing a new > interface to be built that is RESTful. As I understand what you've subsequently described, I don't think there are differences in risk because the security here is just mutual TLS. REST actually works best when there is no security, or the security can be confined to the HTTP (or TLS) layer. Seems like it's a pretty good fit here. I don't think it's possible to itemize problems with WS-Security in general because WS-Security is not a protocol with any real semantics. It's framing. You need the protocol and the token content/semantics (including how they're obtained, of course) before you can talk about risks. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]