& XSLT On Wed, 30 Mar 2005 21:33:59 -0500 (EST), Rich Salz
<rsalz@[...].com>  wrote:
>  But what if the Credit Card company is building its back office around
>  HTTP and REST?  They *can't* resubmit and let someone else work it out. :)
>  Note that I'm not talking about transactions, rollback, etc., I just
>  want to know if the damn message got there and what the answer was.
>  I'd also like to avoid message replay.

I believe POE fulfills that requirement:

   http://www.mnot.net/blog/2005/03/21/poe
 
>  HTTP has no way to provide end-to-end security of the Request URI.
>  That means you can't do a GET and have any cryptographically based
>  way to be sure that (a) the URI wasn't modified in-flight; and (b)
>  that nobody else will see it (i.e., signing and encryption).  SSL/TLS
>  is only hop-by-hop.  If there are any proxies or loadbalancers in the
>  path, at least some of them will get the plaintext.

As far as (a) is concerned, doesn't Digest include the URI in the hash?

As far as (b) is concerned, isn't the SLL certificate tied to the IP address 
of the server being accessed?

   -joe

-- 
Joe Gregorio        http://bitworking.org

-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org> , an
initiative of OASIS <http://www.oasis-open.org> 

The list archives are at http://lists.xml.org/archives/xml-dev/

To subscribe or unsubscribe from this list use the subscription
manager: <http://www.oasis-open.org/mlmanage/index.php>