You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@xml.apache.org by Ed Keen <ed...@interactiveportal.com> on 2001/05/18 20:46:46 UTC
encryption at transport layer or app layer?
Does anyone have an opinion about SOAP encryption at the application layer
vs. the transport layer? IBM seems to feel strongly that you should *not*
use the transport layer (SSL) for SOAP encryption, since SOAP not dependent
upon a particular transport type (and because there may be intermediate
parties to a SOAP request). However, most of what I have read about secure
SOAP references SSL as the preferred method. Which direction is the
industry going? It looks like IBM has an entire framework to handle
encryption at the individual tag level. So, if I am looking at my options,
which one is best?
Thanks,
Ed
Re: encryption at transport layer or app layer?
Posted by Scott Nichol <sn...@computer.org>.
If you want to have encryption now with any interoperability, I think SSL is
the ticket. In the long run, I expect the W3C standard for XML Encryption
(http://www.w3.org/Encryption/2001/) to be widely supported, as will XML
Signature (http://www.w3.org/Signature/). The XML Security Page
(http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/xml_security.html) has
a boat load of links to (you guessed it) various XML security activities.
Scott
----- Original Message -----
From: "Ed Keen" <ed...@interactiveportal.com>
To: <so...@xml.apache.org>
Sent: Friday, May 18, 2001 2:46 PM
Subject: encryption at transport layer or app layer?
> Does anyone have an opinion about SOAP encryption at the application layer
> vs. the transport layer? IBM seems to feel strongly that you should *not*
> use the transport layer (SSL) for SOAP encryption, since SOAP not
dependent
> upon a particular transport type (and because there may be intermediate
> parties to a SOAP request). However, most of what I have read about
secure
> SOAP references SSL as the preferred method. Which direction is the
> industry going? It looks like IBM has an entire framework to handle
> encryption at the individual tag level. So, if I am looking at my
options,
> which one is best?
>
> Thanks,
> Ed
>
Re: encryption at transport layer or app layer?
Posted by Abid Farooqui <fa...@tampabay.rr.com>.
IBM simply feels that way because they really badly want SOAP over MQSeries.
I think they even have it mentioned somewhere in the spec. The problem there
is that MQSeries has hardly any built in mechanism for data security. No SSL
layer, nothing at all. IBM Hurshley is desparately trying to put SSL in now
but it will still take them years to do that. Hence that does not fit in
well within IBM's business profitability model. That is why it is easier to
say for IBM that SOAP should not use transport layer data security. In my
opinion transport layer data security hides a whole bunch of data security
complexity that if it is on the application layer will make things a whole
lot more complex and tools more expensive.
Think about it. Mainframe OS/390, the big money maker for IBM and AS/400,
its smaller brother really do not have a whole lot of Crypto libraries and
SSL or S/MIME libraries ported to them. Neither are there a bunch of vendors
porting webservers and specially SSL webservers to these monster platforms +
they are not even ASCII machines. So if IBM wants SOAP to be on these
machines as well, they will have to most likely use MQSeries as middleware.
----- Original Message -----
From: "Ed Keen" <ed...@interactiveportal.com>
To: <so...@xml.apache.org>
Sent: Friday, May 18, 2001 2:46 PM
Subject: encryption at transport layer or app layer?
> Does anyone have an opinion about SOAP encryption at the application layer
> vs. the transport layer? IBM seems to feel strongly that you should *not*
> use the transport layer (SSL) for SOAP encryption, since SOAP not
dependent
> upon a particular transport type (and because there may be intermediate
> parties to a SOAP request). However, most of what I have read about
secure
> SOAP references SSL as the preferred method. Which direction is the
> industry going? It looks like IBM has an entire framework to handle
> encryption at the individual tag level. So, if I am looking at my
options,
> which one is best?
>
> Thanks,
> Ed
>