Chapter 13: Service Layer Guidelines

Jan 13, 2009 at 6:17 AM
Hi,

In the Service Layer Frame, Message Protection, it states: 'Not using transport layer protection for messages that cross multiple servers.' as a key issue. This doesn't sound right and contradicts the information in the Message Protection Section later in the document:

If the message passes through one or more servers, always use message-based protection.
In addition, you can also use transport layer security with message-based security. With
transport layer security, the message is decrypted and then encrypted at each server it
passes through, which represents a security risk.

The information in the service layer frame seems to be a typo, I think it should read 'Not using message based protection for messages that cross multiple servers.' as being a key issue (which it could be!)

Disclaimer: I'm not a security expert so I could have read it wrong :-)

Cheers

Jan 14, 2009 at 9:40 PM
Good catch.    We took out the NOT. It now says.

Using transport layer protection for messages that cross multiple servers.

You are right.  Using transport security - At each SOAP server, a message is decrypted and then reencrypted when sent on to another server.  If the SOAP server is compromised, your message could be intercepted and read.  If you don't know the exact route of your messages, it's safest to use message security to mitigate this issue.  If you do know the routing and your own all the SOAP servers the message is going through , then it becomes less of an issue as you can know how secure those servers are. Message security adds extra overhead to the process.
Jan 15, 2009 at 12:16 AM
Actually, we changed it again. It was more precise to say "Failing to use message security protection for messages that cross multiple servers."
Jan 15, 2009 at 12:22 AM
Thanks Rob, its only minor but I'm glad I can contribute in some tiny way to a great document.

That wording does appear in a number of Message Protection sections so it may be worthwhile updating all sections to be consistent.
Jan 15, 2009 at 2:48 AM
grayn,
I'm glad you found it. It could easily confuse someone. 

I found it in chapter 13 and chapter 18 (services chapters) in the upfront Frame areas.  I corrected both of those. When I searched the latest build for "transport layer protection for messages" I no longer get any hits. If there are other places where this is wrong, be sure to post.

Rob
Jan 12, 2013 at 4:48 AM

On sale barbour jacket with surprising discount are waiting for you in barbour sale online. For  cold winter days, we have prepared you with warm quilted barbour jacket , classic barbour international , quality barbour wax and other barbour coat in online barbour store . Be quick to take those cheap barbour jackets home!

http://www.barbourbymall2013.com/