>>Yes, that can work as long as you avoid man in the middle attacks...
>
> The point of 2-Way SSL is not just protection of data in transit, but strong
> mutual authenticaion (at the machine level), which is one of the ways that
> you mitigate this type of attack. I am probably missing something in your
> question.. BTW, you did mean Digital Signature by "XML-SG" right? Also,
> keep in mind that the Gateway does not strip off the Signature.. You can
> also verify it further in.
People with the knowledge of being in that environment have extra opportunities
to be the man in the middle. Mutual authentication with SSL implies that the
two machines on each end are the only machines in the network path which know
each other... I'm suggesting that there is a certain level of paranoia which is
healthy to maintain about security. And no, I would not say that XML-SG is what
I mean by digital-signature. I don't use XML over the wire...
> Certainly. I would make sure that all of my endpoints have a PEP. Depending
> on how that PEP is implemented would determine how I manage it. e.g. If that
> PEP was implemented in software by the service platform, it would make
> things a lot more complex. The XML Security Gateway really does not do
> anything for me at the endpoints.
This is my point. You can put in all these devices that defend you from the
world, but you still need to defend yourself from internal attacks. Once you've
done that, there's often no direct advantage to these devices. The only reason
that these devices seem useful is if you've chosen XML and a 3rd party platform
which provides you limited control over endpoint management and security at the
service.
Gregg Wonderly
SPONSORED LINKS
| Computer software | Computer aided design software | Computer job |
| Soa | Service-oriented architecture |
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
