I believe that the vulnerabilities are outlined in the WS-I Security Challenges, Threats and Countermeasures document (http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf). You might also check the OASIS WS-Security Attachment Profile draft.
The same security vulnerabilities apply to WS-Attachments and DIME. The gist of the problem is that SwA and WS-Attachment attachments aren't part of the SOAP Infoset and therefore aren't protected by WS-Security. MIME is slightly more vulnerable because you can't secure the MIME headers except via SSL/TLS. I think Microsoft's point, though, is that there's no incentive to implement support for SwA because it is being superceded by MTOM. Anne On 7/28/05, Dennis Sosnoski <[EMAIL PROTECTED]> wrote: > Anne Thomas Manes wrote: > > >Unfortunately, Microsoft does not and will not support SwA, therefore > >Microsoft does not and will not support the WS-I Attachment Profile > >1.0. (SwA has some inherent security vulnerabilities, so I understand > >Microsoft's position on this point.) > > > Can you supply any pointers on the SwA security vulnerabilities, Anne? I > didn't find anything in a quick search. > > - Dennis >
