W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2000

Re: Web RPCs Considered Harmful

From: Henrik Frystyk Nielsen <frystyk@microsoft.com>
Date: Sat, 13 May 2000 10:54:28 -0700
Message-ID: <002301bfbd08$9a844150$0300000a@redmond.corp.microsoft.com>
To: <dick@8760.com>, "Dave Winer" <dave@userland.com>, "Anders W. Tell" <anderst@toolsmiths.se>, "Wesley M. Felter" <wesf@cs.utexas.edu>
Cc: "Edd Dumbill" <edd@usefulinc.com>, <xml-dist-app@w3.org>, <dick@8760.com>
> I've read both Ken and Daves "position statements" with regard to Web
> and I believe Ken has identifed real, practical concerns that must be
> addressed. The SOAP and XML-RPC specs seem to ignore the security
> that are so important to companies building E-Commerce applications.
> Security issues are a pain to deal with - but essential for
E-Commerce. Even
> the W3C pointed to this obvious lack of security considerations in the
> submission, ref:

The important point here is that SOAP really doesn't do much - it
an envelope with a message path model and proposes an encoding mechanism
and a convention for using it for RPC is that is what you like.

There is no explicit mention of security because the hooks provided can
apply to any feature: you can apply it below (as transport), above (as
SOAP headers) and we were careful to allow for nested SOAP envelopes so
you can apply it to a SOAP envelope as well.

SOAP doesn't define *a* security policy because we expect that there is
need for multiple policies and even capability for negotiating which one
to use depending on the context (commerce, medical etc.) but that is not
for the base SOAP to do.

Regarding whether RPC is harmful, it is fundamentally a question of
whether you believe in human rights applied to protocols: communicating
parties must have equal right for expressing capabilities and policies
but more about that at the WWW9 panel.

Received on Saturday, 13 May 2000 14:26:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 22:01:09 UTC