OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] What Does SOAP/WS Do that A REST System Can't?

[ Lists Home | Date Index | Thread Index ]

> > Note that I'm not talking about transactions, rollback, etc., I just
> > want to know if the damn message got there and what the answer was.
> > I'd also like to avoid message replay.
> I believe POE fulfills that requirement:
>    http://www.mnot.net/blog/2005/03/21/poe

Unfortunately, no.  If a reply is lost, according to the POE draft
you're supposed to do a GET.  How does the server prevent someone
else from doing the GET?  Since a GET has no request body, there's
no way to put any real authentication in there.  Also, how long
does the server have to keep the GET'able response around for?
Mark proposed this same kind of trick in the WS-Addressing WG and
I raised the same objections.

> > HTTP has no way to provide end-to-end security of the Request URI.
> > That means you can't do a GET and have any cryptographically based
> > way to be sure that (a) the URI wasn't modified in-flight; and (b)
> > that nobody else will see it (i.e., signing and encryption).
> > is only hop-by-hop.  If there are any proxies or loadbalancers in the
> > path, at least some of them will get the plaintext.
> As far as (a) is concerned, doesn't Digest include the URI in the hash?

Digest requires the client and server to have a shared secret.
That means O(n**2) vs O(n), and we've all heard how bad that is. :)
Seriously, it means that every possible pair of communicating
entities have to have a shared password.  That, in turn, means that
if you get something signed with Digest you have no idea which side
signed it.  That doesn't tend to make the business folks very happy.

> As far as (b) is concerned, isn't the SLL certificate tied to the IP address
> of the server being accessed?

That's assuming the client has direct IP connectivity to the real
server being accessed.  It's rarely that way -- as I said, there's
often loadbalancers, content-aware networking, etc., in the way.
In addition, many organizations have a policy that SSL from the
outside world *must* terminate in the DMZ.  They *will not* let an
incoming SSL connection connect directly to internal services.

I'd rather not have to trust every single piece of network equipment
to not mess anything up, especially when I don't have to.


Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS