OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [wsrp-wsia] [change request #139] Add UpdateResponse.isSecure ?

This is currently the 1 situation in which the producer is prevented 
from switching between secure and insecure.  I imagine we didn't make a 
conscious decision to do this.  Why should this be the one situation 
that doesn't give the producer control?  It would mean we would be 
giving them the ability to switch security levels via a redirect from an 
action but not the "implicit" redirect of the return.
    -Mike-

Andre Kramer wrote:

>We should help ensure that a getMarkup() following a performInteraction()
>always uses secure if the action was over https. This allows a "your credit
>card transaction will be processed" to be securely displayed to the user.
>Otherwise, it is just too easy for an attacker to spoof a "invalid credit
>card - please type number again" message, as users may not notice the
>transition from secure to insecure.
>
>A portlet can more safely switch by adding insecure (http) action and render
>URLs to a secure (https) page/fragment, so I think this "feature" is
>somewhat questionable.
>
>regards,
>Andre
>
>-----Original Message-----
>From: Rich Thompson [mailto:richt2@us.ibm.com]
>Sent: 12 February 2003 16:47
>To: wsrp-wsia@lists.oasis-open.org
>Subject: [wsrp-wsia] [change request #139] Add UpdateResponse.isSecure?
>
>
>Document: Spec
>Section:  6.1.13
>Page/Line: 34/32
>Requested by: Mike Freedman
>Old text:
>New text: [O] boolean isSecure
>
>Reasoning:  Don't we need a way for a producer to convert from http/https 
>between an action and a subsequent render?  I.e. submit a form securely 
>with a credit card number but the resulting render is back in unsecure 
>mode.
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>
>  
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC