Transaction
confidentiality
SHTTP provides confidentiality for the encapsulated data exchanged between parties. Sufficient (S)HTTP header information to allow processing of the SHTTP transaction is sent in the clear.
Selective field
confidentiality
While SHTTP supports recursive encapsulation of transaction data, this is expected to be applied to complete HTTP (or SHTTP) transactions. Consequently, the granularity of protection remains a complete HTTP transaction. This facility could be used to support prior generation of signed information objects (contained in minimal HTTP response transactions) which would then be returned when requested (possibly with additional security encapsulation).
Privacy/anonymity
The degree to which anonymity is supported depends upon the security services selected. If any authentication or non-repudiation services are applied, then an identity of the parties will be disclosed.
Server authentication
Server authentication may be applied as part of any transaction. Authentication may be based on a digital signature applied to the transaction as well as based on the key management approach applied to encryption keys or based on the keyed MAC calculations. Certain of these approaches rely on the validation of certificates.
Client authentication
Client authentication may be applied as part of any transaction. Authentication may be based on a digital signature applied to the transaction as well as based on the key management approach applied to encryption keys or based on the keyed MAC calculations. Certain of these approaches rely on the validation of certificates.
Data integrity
Data integrity may be applied to any transaction and is based on a message integrity check or message authentication code included in the protected transaction. Integrity may also be provided by a digital signature. If the timestamp based MAC is used, then pre-generation of the SHTTP transaction is not possible.
Data origin
authentication
For SHTTP, data origin authentication is equivalent to the server or client authentication service since all SHTTP services are applied to an individual transaction.
Non-repudiation
SHTTP supports non-repudiation with proof of origin through the application of digital signatures to the encapsulated transaction. SHTTP does not directly support non-repudiation with proof of receipt or any other explicit proof of delivery/receipt mechanism.
Message Stream
integrity
SHTTP itself applies services to individual transactions and so does not explicitly address message stream issues. SHTTP provides a facility to allow an application to perform weak sequence related checks through the inclusion of a timestamp in MAC check values or strong freshness checks through a nonce-based challenge response facility.
Denial of Service
Denial of service concerns are limited to the destruction of transactions in flight and consumption of resources. The ability of an attacker to destroy messages on a channel cannot be addressed by an application solution. The consumption of resource issue is based on the ability of an attacker to overwhelm a server (or client) which transaction requiring extensive processing resources.