RE: XML protocol security from Adi Oltean on 2000-05-18 (xml-dist-app@w3.org from May 2000)

From: Adi Oltean <aoltean@Exchange.Microsoft.com>
Date: Thu, 18 May 2000 14:27:28 -0700
To: "Justin Chapweske" <justin@cyrus.net>
Cc: <xml-dist-app@w3.org>
Message-ID: <19398D273324D3118A2B0008C7E9A56909C91FE9@SIT.platinum.corp.microsoft.com>

I agree with your point - and this reminds me a similar problem in the
past: when CORBA 1.0 came out it didn't present a semantic standard for
marshalling object references, for example. This was just one of the
causes for incompatibilies between various ORB vendors - Inter-ORB
bridging was hard to realize since these protocols differed in subtle
different ways in marshalling objects by reference or by value. But
mainly each ORB vendor had its own proprietary protocol. When IIOP came
out (four years later, if I remember correctly) it was too late: the
existing native intra-ORB protocols at that time were much more
efficient and richer in functionality than IIOP (for example IIOP didn't
had GC) and this discouraged a wide adoption of IIOP as the unique
protocol for comunnication under inter/intra ORB environments.

Personally, I think SOAP will face the same dangers in future (unless a
couple of smart guys will come early with a good open standard extension
of SOAP concerning these issues)

Thanks,
Adi

-----Original Message-----
From: Justin Chapweske [mailto:justin@cyrus.net]
Sent: Thursday, May 18, 2000 12:26 PM
To: Adi Oltean
Cc: xml-dist-app@w3.org
Subject: Re: XML protocol security


Excellent points adi, but I wonder if we can't have both.  I seriously
doubt that anyone is going to want to sacrifice SOAP's simplicity to add
object references and a strong security model, but there needs to be a
realization from all of the SOAP advocates that this is a designed
limitation.  The reason I say this is because if SOAP becomes as popular
as many think it will, and it has weaknesses, then the SOAP enthusaists
need to be able to swallow their pride and recommend stronger
solutions.  One of these stronger solutions may very well be a SOAP
extension to add capabilities and object references, which leads to my
question:

Does SOAP's implementation simplicity hold as much value once SOAP has
been widely deployed and robust tools have been developed for it?  The
simplicity is a very strong feature for the early adoption of this
technology, but as it becomes more mature are we going to be willing to
trade off simplicity for stronger security guarentees?  If the feeling
is that we would be likely to make some trade-offs, then people should
consider very carefully the migration path that will need to be taken
from the current SOAP to SOAP-FAT in the future...

Hope this gets people to throw some food at each other....

-- 
Justin Chapweske - Noodler, Cyrus Intersoft
http://www.cyrusintersoft.com/

Received on Thursday, 18 May 2000 17:58:44 UTC