This is a single archived entry from Stefan Tilkov’s blog. For more up-to-date content, check out my author page at INNOQ, which has more information about me and also contains a list of published talks, podcasts, and articles. Or you can check out the full archive.

REST Security

Stefan Tilkov,

Pete Lacey responds to Gunnar Peterson’s claims about REST’s lack of message level security.

I find it awfully hard to add anything to that, so go read the original post.

On December 2, 2006 1:20 PM, Gunnar said:

With all due respect, he did nothing of the sort. He restated a bunch of transport level security mechanisms that do nothing to address the message level security issue I described. For some places that do have some clue on this go here

http://docs.amazonwebservices.com/AWSSimpleQueueService/2006-04-01/RequestAuthenticationArticle.html

and

http://www.franklinmint.fm/blog/archives/000934.html

Good luck!

On December 2, 2006 9:08 PM, Stefan Tilkov said:

Gunnar, I fail to get your point.

First of all, you point to several cases of identity theft. I don’t see any connection to transport-level vs. message-level security.

Secondly, you claim that REST does not address message-level security.

Never mind that REST is an architectural style and you should rather be talking about HTTP. Even if you did, standards such as XML Encryption and XML Digital Signature are completely orthogonal to the REST vs. SOAP debate — there’s nothing stopping you from using them while using HTTP in a RESTful way.

There is one valid point (that I actually failed to find expressed this way in your comment, I may have missed it): With WS-Security, there’s some standardization as to how to communicate metadata about the usage of WML Encryption and DSIG, and there’s no equivalent mapping to plain HTTP.

Still, the most crucial point seems to be that you see WSS as the critical success factor for SOAP (vs. RESTful HTTP). To which I say: No-one uses WSS right now.