[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: SOAP version (from the minutes)
I'm sorry I couldn't make the call, but let me comment on the SOAP issue. Yes, SOAP 1.2 defines its terminology much more rigorously. It also clarifies many ambiguities -- what happens if a message reaches the final destination with some headers unprocessed. Those are all good things, and it would arguably benefit WS-Security to use the more rigorous processing model and terminology definitions. On the other hand, it is based on the Infoset, as opposed to the XML 1.0 serialization which is really the basis of XML DSIG et al. There are various subtleties and issues here (for example, a SOAP 1.2 message could be conforming yet not serialize to XML 1.0, not be amenable to the XPath model for canonicalization, etc.) I exchanged a number of emails with Mark Nottingham (and the W3C WG) about this. For an example of some of the impact, look at the "Soap message normalization" W3C Note (note that it's not on the recommendation path; it's just a Note) which explains how to canonicalize SOAP messages per se (as opposed to their payload). To date, the informal and unofficial attitude I've heard from various SOAP members is "XML DSIG and XMLEnc should be rewritten in terms of hte Infoset." (My rseponse to them has been advice to not hold their breath.:) There are subtleties and dangers. I suggest the WS-Security spec Make it clear this is defined for 1.1, but note that it is not intended to rule out 1.2 Use 1.2 terminology where it makes sense Use 1.1 examples Hope this helps. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]