• To: Mark Baker <distobj@a...>
• Subject: Re: What Does SOAP/WS Do that A REST System Can't?
• From: Rich Salz <rsalz@d...>
• Date: Thu, 14 Apr 2005 08:41:54 -0400 (EDT)
• Cc: "xml-dev@l..." <xml-dev@l...>
• In-reply-to: <20050414040017.GI9251@m...>

> Architectural constraints such as statelessness, are constraints on
> form, not function; what you're talking about *is* possible.

Wow, news to me.  Thanks.

>  The
> issue will be whether the larger message size in the stateless
> solution will be acceptable or not.  How much state are you're talking
> about?

Let's assume RSA with a key size of 2K bits, maybe sometimes 4K.  A
signature is the same as the key size, so you're talking 256 or 512 bytes,
plus the data being signed, of coruse.

At least one certificate will have to flow in each direction.  A
certificate is signed and has a couple-K of data, so call it 2-4Kbytes
per cert.

The data being signed is context dependant.  For SSL it's a running
hash of *all* messages the two parties have exchanged.  That's a
small amount of state (20 bytes for SHA1), but assumes a reliable
byte-stream protocol. :)

Does that help?
	/r$
-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

• Follow-Ups:
  • Stateless security
    • From: Mark Baker <distobj@a...>

• References:
  • Re: What Does SOAP/WS Do that A REST System Can't?
    • From: Mark Baker <distobj@a...>

• Prev by Date: Re: What Does SOAP/WS Do that A REST System Can't?
• Next by Date: Re: What Does SOAP/WS Do that A REST System Can't?
• Previous by thread: Re: What Does SOAP/WS Do that A REST System Can't?
• Next by thread: Stateless security
• Index(es):
  • Date
  • Thread