----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 13, 2002 8:24 PM Subject: Re: recent patches
[snip] > Now say I want to actually encrypt the XML-RPC request by the Kerberos > session key, which is obtained through the contextual info I pass. Now > you see a catch-22: I cannot encrypt the XML-RPC request if it contains > the contextual info because the contextual info is needed to decrypt > the request in the first place! The XML Encryptions standard provides for encryption of only parts of an XML document. The standard XML way of solving the problem you describe is to encrypt the payload but not the envelope and the sign the entire document. Now SOAP has envelope/payload parts and XML-RPC does not. It's not at all hard to "simulate" an envelope in XML-RPC - The payload becomes a struct with a string member being the method name and an array member being the parameters. The call is made to a transcoding method which takes the payload struct as one paramenter and another struct being the envelope. This seems to me to be infinatly preferable to using out of band data like headers. (in your example - how can you detect if the headers have been tampered with?) John Wilson The Wilson Partnership http://www.wilson.co.uk
