OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-rx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-rx] issue 115: clarifying question



I don't disagree, however, it isn't as if there isn't an effective mitigation strategy.

The specification already covers this, starting on line 820 (cd03):

"In order to properly secure messages, the body and all relevant headers need to be included in the signature."

Clearly, this would be a "relevant header", and the specification for foo:SecureRM should have a similar
caveat that strongly recommends that the header be signed with the body.

My principal concern with a wsrm:mustUnderstand is that it changes the parsing/processing model of the
messages from what is currently the case for every SOAP stack. Significantly.

Adding a SOAP header that carries the desired semantic is something that is built into every SOAP
stack. Every one of them. Today. No changes necessary. Adding a "handler" for the mU QName
could be as trivial as adding an entry to a configuration file of SOAP header QNames that are
"understood" by the endpoint. Oh, the complexity. Not!

Cheers,

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295



Richard Salz/Cambridge/IBM

04/25/2006 08:21 AM

To
"Gilbert Pilz" <Gilbert.Pilz@bea.com>
cc
Christopher B Ferris/Waltham/IBM@IBMUS, "wsrx" <ws-rx@lists.oasis-open.org>
Subject
RE: [ws-rx] issue 115: clarifying questionLink




I think Gil's got a very important point.
        /r$
--
SOA Appliances
Application Integration Middleware



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]