[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: SOAP version (from the minutes)
I'm sorry I couldn't make the call, but let me comment on the
SOAP issue.
Yes, SOAP 1.2 defines its terminology much more rigorously. It also
clarifies many ambiguities -- what happens if a message reaches
the final destination with some headers unprocessed. Those are
all good things, and it would arguably benefit WS-Security to use
the more rigorous processing model and terminology definitions.
On the other hand, it is based on the Infoset, as opposed to the
XML 1.0 serialization which is really the basis of XML DSIG et al.
There are various subtleties and issues here (for example, a SOAP
1.2 message could be conforming yet not serialize to XML 1.0, not be
amenable to the XPath model for canonicalization, etc.) I exchanged
a number of emails with Mark Nottingham (and the W3C WG) about this.
For an example of some of the impact, look at the "Soap message
normalization" W3C Note (note that it's not on the recommendation
path; it's just a Note) which explains how to canonicalize SOAP
messages per se (as opposed to their payload).
To date, the informal and unofficial attitude I've heard from
various SOAP members is "XML DSIG and XMLEnc should be rewritten
in terms of hte Infoset." (My rseponse to them has been advice to
not hold their breath.:)
There are subtleties and dangers. I suggest the WS-Security spec
Make it clear this is defined for 1.1, but note that
it is not intended to rule out 1.2
Use 1.2 terminology where it makes sense
Use 1.1 examples
Hope this helps.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]