ws-rx message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [ws-rx] issue 115: clarifying question
- From: Christopher B Ferris <chrisfer@us.ibm.com>
- To: Richard Salz <rsalz@us.ibm.com>
- Date: Tue, 25 Apr 2006 08:37:26 -0400
I don't disagree, however, it isn't
as if there isn't an effective mitigation strategy.
The specification already covers this,
starting on line 820 (cd03):
"In order to properly secure messages,
the body and all relevant headers need to be included in the signature."
Clearly, this would be a "relevant
header", and the specification for foo:SecureRM should have a similar
caveat that strongly recommends that
the header be signed with the body.
My principal concern with a wsrm:mustUnderstand
is that it changes the parsing/processing model of the
messages from what is currently the
case for every SOAP stack. Significantly.
Adding a SOAP header that carries the
desired semantic is something that is built into every SOAP
stack. Every one of them. Today. No
changes necessary. Adding a "handler" for the mU QName
could be as trivial as adding an entry
to a configuration file of SOAP header QNames that are
"understood" by the endpoint.
Oh, the complexity. Not!
Cheers,
Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295
Richard Salz/Cambridge/IBM
04/25/2006 08:21 AM
|
To
| "Gilbert Pilz" <Gilbert.Pilz@bea.com>
|
cc
| Christopher B Ferris/Waltham/IBM@IBMUS,
"wsrx" <ws-rx@lists.oasis-open.org>
|
Subject
| RE: [ws-rx] issue 115: clarifying questionLink |
|
I think Gil's got a very important point.
/r$
--
SOA Appliances
Application Integration Middleware
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]