Simon Fell > Its just code > Microsoft.com web services

No doubt you've seen the announcement of the first rev of the Microsoft.com web services. I just whipped up some PocketSOAP code to call it. It uses a WS-Security UsernameToken to pass around your credentials, and whilst your password is digested on the wire, the client gets to pick the Nonce, there's no server challenge part, so whilst you can't work out the original password from a wire trace, there's no need, the included password digest and nonce values are all you need to access the API. Completely open to replay attacks / sniffing credentials, and at the end of the day I don't see how this is anymore secure than standard HTTP basic authentication. On the other hand its a massive improvement over the clusterfuck that is the MS-CRM web services API. (in terms of the API design, not the authenication model, MS-CRM uses IIS's HTTP based authenitication support)