« Standards and Choice | Main | Tom Friedman on Green »


Dave Tauzell

About Message Level Security:

It isn't just developers, but whole industries as well.

Take for example the NCPDP NEWRX transaction (the xml version to play well with REST and SOAP), which is designed to electronically submit prescriptions.

The transaction itself does not define any message level security. So let's say that you want to send the transaction using SOAP.

Most of these transactions are sent through a third party service. Message level security will prevent the third party from viewing the data. Thus, they cannot translate to/from other versions or to/from other similar transactions unless they can access the message. So either you give the third party services the ability to view the data or you make all end parties follow the same standards.

I'd say that in this case REST vs WS-* has little bearing on the end-solution. Nor does developer preference. What has the most bearing is the total cost from an industry standpoint.


"Most of these transactions are sent through a third party service."

Ahhh...but WS-Security and SAML can both support multiple namespaces and authorities for validating tokens. So you can have an interemediary token for routing messages around a network where you may care moe about integrity for example, and another token in the same message to protect sensitive data where you may care more about confidentiality.

The comments to this entry are closed.