W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2000

Re: XML protocol security

From: Sanjiva Weerawarana <sanjiva@watson.ibm.com>
Date: Tue, 23 May 2000 03:22:42 -0400
Message-ID: <007e01bfc487$b6af6400$58b0e220@lankabook.watson.ibm.com>
To: "Andrew Layman" <andrewl@microsoft.com>, <Michael.Condry@eng.sun.com>, <xml-dist-app@w3.org>
Andrew writes:

>What exactly did IBM demonstrate? Why is this a hole in SOAP?
>
>Thanks.
>
>-----Original Message-----
>From: Michael Condry [mailto:Michael.Condry@eng.sun.com]
>Sent: Wednesday, May 17, 2000 6:31 PM
>To: Constantine Plotnikov; xml-dist-app@w3.org
>Subject: Re: XML protocol security
>
>
>Not clear if you are using it this way. SSL will not
>fix this.
>
>IBM showed a great example of SOAP holes  in the 
>W3C conference (WWW9) today.

*IBM* did not demonstrate anything. An IBM employee (Andrew Donoho) showed an
example of communicating between two browsers by sharing some parts of the 
DOM. Either I didn't grok the demo or I personally don't see a SOAP level
security flaw with what he showed .. it showed that DOM access was what
browsers were all about and that you could share the DOM between two browsers
using SOAP as a transport. (He was using a SOAP 1.0 implementation, but I
don't think that's relevant.)

What Andrew showed in no way forms an *IBM* position on SOAP security. At
the same time, neither does this message! I personally think that a security
layer above SOAP is necessary and useful, however, I disagree that SOAP itself
is flawed because it doesn't come in with built-in security.

Sanjiva.
Received on Tuesday, 23 May 2000 03:23:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:58:56 GMT