REST Security
December 2, 2006
Pete Lacey responds to Gunnar Peterson’s claims about REST’s lack of message level security.
I find it awfully hard to add anything to that, so go read the original post.
About
This page contains a single entry from Stefan Tilkov's Random Stuff posted on December 2, 2006 9:54 AM. The previous post in this blog was REST (Not) In The News. The next post in this blog is Abdera, REST, Security. Many more can be found on the main index page or by looking through the archives.
Comments
With all due respect, he did nothing of the sort. He restated a bunch of transport level security mechanisms that do nothing to address the message level security issue I described. For some places that do have some clue on this go here
http://docs.amazonwebservices.com/AWSSimpleQueueService/2006-04-01/RequestAuthenticationArticle.html
and
http://www.franklinmint.fm/blog/archives/000934.html
Good luck!
Posted by: Gunnar at December 2, 2006 1:20 PM | link
Gunnar, I fail to get your point.
First of all, you point to several cases of identity theft. I don’t see any connection to transport-level vs. message-level security.
Secondly, you claim that REST does not address message-level security.
Never mind that REST is an architectural style and you should rather be talking about HTTP. Even if you did, standards such as XML Encryption and XML Digital Signature are completely orthogonal to the REST vs. SOAP debate — there’s nothing stopping you from using them while using HTTP in a RESTful way.
There is one valid point (that I actually failed to find expressed this way in your comment, I may have missed it): With WS-Security, there’s some standardization as to how to communicate metadata about the usage of WML Encryption and DSIG, and there’s no equivalent mapping to plain HTTP.
Still, the most crucial point seems to be that you see WSS as the critical success factor for SOAP (vs. RESTful HTTP). To which I say: No-one uses WSS right now.
Posted by: Stefan Tilkov at December 2, 2006 9:08 PM | link