Talk:WS-Security
This article is rated Stub-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||
|
The paragraph in this article about TLS and using SSL for integrity and confidentiality is not related to the core subject of the page, which is the WS-Security standard. This may be relevant to another article on more general web service security issues. Warnet 16:17, 14 December 2006 (UTC)
Moved the paragraph about TLS under a Alternative(s) heading and made clear that WS-Security addresses a different (broader) problem than TLS. Anonymous, 14:24, August 24 2007 (GMT+1) —Preceding unsigned comment added by 213.84.67.167 (talk) 12:25, August 24, 2007 (UTC)
I don't believe the information in the TLS section about proxy servers is either cited or factually correct. In fact, proxy servers DO NOT see the content of a message encrypted using TLS, as the client explicitly tells the proxy server where to forward the message to through the HTTP CONNECT operation. The message payload itself is sent through in encrypted form. I will update the article accordingly unless anyone disagrees with the above when I have time to find references for the above.
PaulRussell (talk) 11:32, 9 January 2008 (UTC)
TLS is related to WS-Security, as one use case is to include an unsigned and unencrypted WSS-token in a SOAP header, and protect the message with transport layer security. In this case the TLS-proxy vouches for the claims in the WSS-token. The proxy definition must be clarified, as it refers to SOAP intermediaries, not TCP-level proxies, and therefore DO SEE content. End-to-End security is not mandatory with WSS, but optional. Rainer Hörbe 10:56, 10 January 2010 (UTC)
"not or less trusted"
[edit]End-to-end security section of the article contains following wording: "If a SOAP intermediary is required, and the intermediary is not or less trusted, ...".
I`m asking the main author to clarify what he meant by "not or less trusted": out of common sense it has to be some variation over "not trusted enough". — Preceding unsigned comment added by 213.170.91.170 (talk) 11:08, 8 July 2011 (UTC)