OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] What Does SOAP/WS Do that A REST System Can't?

[ Lists Home | Date Index | Thread Index ]

On Wed, 30 Mar 2005 21:33:59 -0500 (EST), Rich Salz
<rsalz@datapower.com> wrote:
> But what if the Credit Card company is building its back office around
> HTTP and REST?  They *can't* resubmit and let someone else work it out. :)
> Note that I'm not talking about transactions, rollback, etc., I just
> want to know if the damn message got there and what the answer was.
> I'd also like to avoid message replay.

I believe POE fulfills that requirement:

   http://www.mnot.net/blog/2005/03/21/poe
 
> HTTP has no way to provide end-to-end security of the Request URI.
> That means you can't do a GET and have any cryptographically based
> way to be sure that (a) the URI wasn't modified in-flight; and (b)
> that nobody else will see it (i.e., signing and encryption).  SSL/TLS
> is only hop-by-hop.  If there are any proxies or loadbalancers in the
> path, at least some of them will get the plaintext.

As far as (a) is concerned, doesn't Digest include the URI in the hash?

As far as (b) is concerned, isn't the SLL certificate tied to the IP address 
of the server being accessed?

   -joe

-- 
Joe Gregorio        http://bitworking.org




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS