W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2000

Re: XML protocol security

From: Mishra, Prateek <pmishra@netegrity.com>
Date: Wed, 17 May 2000 16:18:49 -0400
Message-ID: <F51E77692CD3D31190F300508B8BFA5E156372@maex02.netegrity.com>
To: "'xml-dist-app@w3.org'" <xml-dist-app@w3.org>, SOAP@DISCUSS.DEVELOP.COM
Cc: "Chippada, Radhika" <rchippada@netegrity.com>
It would be useful to list some of the requirements for secure XML
messaging. Here are some thoughts and I invite other contributions. 
The most important aspect seems to be that the protocol
itself be security neutral but support enough flexibility (using headers
for example) to incorporate a range of security arrangements. At first
this seems to be the case for SOAP where there is no hard-wired security
but there is support for a flexible set of headers which could presumably
security properties of the message (and those required of its response, if
XML messaging will be used in many different environments, with security
needs ranging from none to requiring authentication, privacy thru
message integrity, non-repudiation, secure acknowledgement, etc.  
The binding between security properties and the SOAP RPC call needs to
remain fairly loose. The same method call may be exposed with
varying security properties to different classes of users from within an
XML messaging can utilize many transports. Historically, some security
methods have been developed in the context of a transport (SSL, HTTP digest
authentication, S/MIME). It should be possible to utilize this type of
There is a strong consensus around the Role-Based Access Control (RBAC)
model as providing a scalable framework for enterprise security. This is
in the security architecture for EJBs , academic and industrial research
Sandhu research) and in commercial systems (Netegrity, enCommerce). 
The ACL approach is not considered scalable in an enterprise context where
there are many 1000's of users. This needs to be factored in when developing
an access control model for XML messaging.
- prateek mishra
Netegrity, Inc.
Waltham, MA
disclaimer: these are my personal opinions, not my employers.
Received on Wednesday, 17 May 2000 16:07:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 22:01:09 UTC