axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anne Thomas Manes <atma...@gmail.com>
Subject Re: WSDL with attachments
Date Thu, 28 Jul 2005 21:42:34 GMT
I believe that the vulnerabilities are outlined in the WS-I Security
Challenges, Threats and Countermeasures document
(http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf).
You might also check the OASIS WS-Security Attachment Profile draft.

The same security vulnerabilities apply to WS-Attachments and DIME.
The gist of the problem is that SwA and WS-Attachment attachments
aren't part of the SOAP Infoset and therefore aren't protected by
WS-Security. MIME is slightly more vulnerable because you can't secure
the MIME headers except via SSL/TLS.

I think Microsoft's point, though, is that there's no incentive to
implement support for SwA because it is being superceded by MTOM.

Anne

On 7/28/05, Dennis Sosnoski <dms@sosnoski.com> wrote:
> Anne Thomas Manes wrote:
> 
> >Unfortunately, Microsoft does not and will not support SwA, therefore
> >Microsoft does not and will not support the WS-I Attachment Profile
> >1.0. (SwA has some inherent security vulnerabilities, so I understand
> >Microsoft's position on this point.)
> >
> Can you supply any pointers on the SwA security vulnerabilities, Anne? I
> didn't find anything in a quick search.
> 
>   - Dennis
>

Mime
View raw message