W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2000

RE: XML protocol security

From: <Noah_Mendelsohn@lotus.com>
Date: Tue, 23 May 2000 11:45:12 -0400
To: Michael Condry <Michael.Condry@eng.sun.com>
Cc: andrewl@microsoft.com, Michael.Condry@eng.sun.com, xml-dist-app@w3.org, Andrew_Donoho/Austin/IBM@lotus.com
Message-ID: <OF18271D61.066D2D77-ON852568E8.004FD86F@lotus.com>
Andrew Donaho of IBM demonstrated an experimental implementation of SOAP 
glue into the DOM exposed by a browser.  One machine can therefore script 
anothers UI and browser content. 

In general, if you expose an insecure API to the network, you will be 
raising security issues.  I believe that any industrial strength 
implementation of such DOM/network services would have to have a carefully 
fleshed out security architecture.  Of course, there is a broader question 
as to whether exposing such a DOM is the right thing to do, and security 
is part of that question.  It's not fundamentally a SOAP issue...it's that 
you are making a big mistake if you run any of these systems (SOAP, 
XML-RPC, etc.) in a mode where it has access to arbitrary objects on your 
system, or to particular objects without the appropriate security in 
place.

------------------------------------------------------------------------
Noah Mendelsohn                                    Voice: 1-617-693-4036
Lotus Development Corp.                            Fax: 1-617-693-8676
One Rogers Street
Cambridge, MA 02142
------------------------------------------------------------------------







Michael Condry <Michael.Condry@eng.sun.com>
Sent by: xml-dist-app-request@w3.org
05/22/00 06:42 PM
Please respond to Michael Condry

 
        To:     Michael.Condry@eng.sun.com, xml-dist-app@w3.org, andrewl@microsoft.com
        cc:     (bcc: Noah Mendelsohn/CAM/Lotus)
        Subject:        RE: XML protocol security

I asked IBM to clarify.
Received on Tuesday, 23 May 2000 11:51:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:58:56 GMT