XML protocol security from Wesley M. Felter on 2000-05-13 (xml-dist-app@w3.org from May 2000)

From: Wesley M. Felter <wesf@cs.utexas.edu>
Date: Sat, 13 May 2000 11:27:56 -0500 (CDT)
To: xml-dist-app@w3.org
Message-ID: <Pine.LNX.4.21.0005131056440.10051-100000@tullamore-dew.cs.utexas.edu>

Here are my three thoughts about security:

Since most of the protocols discussed on this list let users define new
interfaces (i.e. they're really meta-protocols), there's no way to ensure
that all interfaces are designed with security in mind.

Even if a protocol is secure, that doesn't ensure that implementations are
secure. It seems to me that most security problems I've heard of were
implementation problems rather than protocol problems.

With those two sobering thoughts out of the way, what are people's
security needs? It's not enough to say that "foo is not secure", since
security is not one thing. I would expect an XML protocol to provide
authentication, integrity, and privacy; is there anything else that I'm
forgetting? Is a separation of authentication from authorization
desirable?

Wesley Felter - wesf@cs.utexas.edu - http://www.cs.utexas.edu/users/wesf/

Received on Saturday, 13 May 2000 12:27:58 UTC