More on “XML over HTTP”

A couple of comments on that post deserve further response:

    Matt wrote:

        How would WS-Security improve the CC#-stolen-from-the-database scenario?

    Depends on how you want to look at it. If the database in question is the "final repository" for the credit card, it probably won’t. But if this message is resting in the database (or on the filesystem, or….) while waiting to be processed, then WS-Security will help, because it secures the entirety of the message, not just while the message is traveling across the network (which is what SSL buys you).
    An anonymous commenter wrote:

        Ted, While I agree that SSL is not the end-all in security I think you missed the point of your quote. The poster was trying to explain that since SSL does encrypt its payload it has the benefit of preventing well meaning yet fundamentally flawed intermediaries from acting upon the data they’re supposed to be delivering. The firewall in this instance.

    An "intermediary" that wants to act on the payload isn’t really an intermediary anymore, but a processing node in its own right that participates in a workflow chain. An intermediary certainly has the right and responsibility to affect the message headers, but not the payload itself. To say that SSL provides the "benefit" of preventing well-meaning intermediaries from doing this is to hide the ill-behaved nature of the intermediary itself, and doesn’t properly address the problem.