That sounds mainly sensible to me. I would
prefer to list the methods that can
be used to test whether the received headers
are legitimate and so counteract the threat.
1. if using CPA, use the information
in the Packaging element for the
agreed upon ServiceBinding to see
that content-types are as they were
agreed to.
2. absent CPA, sender can use
whatever works as an xmldsig enhancement
(repeating some/all of the
headers in an object
that is signed over, with
embellishments as needed to
lead to consensus...)
3. suggest possible use of a
digital enveloping technique to
deter intermediary access.
Dale Moberg