humphrey@cs.virginia.edu wrote:
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
Certainly when it comes to information systems and how they are used by things like the RSS, there is a significant fraction of useful interaction that can be done completely unencrypted within a particular security domain (I had it argued to me that uses within a domain don't need to be standardized at all, which is theoretically true but life doesn't really seem to work like that; unifying the sorts of interfaces supported both internally and externally is a big win). For example, consider the looking up of non-user-specific information about the general configuration of resources. On the other hand, requiring that services support such access (at least potentially, even if a particular instances doesn't) is OK with me, as is a strong recommendation that anything carrying user-specific info (the majority of interactions, I presume) should be protected over the wire. Donal.