PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Restriction on Encryption of Headers
Not sure if this has been already posted, and answered.
"Such encryption will encrypt such elements using WSS 1.1 Encrypted Headers.
As such, if WSS 1.1 Encrypted Headers are not supported by a service,
then this element cannot be used to specify headers that require encryption using message level security."
Does this mean, that if as a service provider, I cannot understand what a <EncryptedHeader> means,
then clients requesting this service cannot encrypt any of the request soap headers using message level security?
I agree that <EncryptedHeader> could help protect sensitive attributes on the soap header, but I doubt if
<EncryptedHeader> has gained sufficient popularity amongst implementors. I believe till the time, it is universally adopted,
and implemented by all, the above restriction of not being able to use message level security for header confidentiality
should not be in place.
This IMO can hurt interoperability between vendors who support this, and those who don't.Furthermore, till such time,
<EncryptedData> can be used by service providers and requestors.