W3C home > Mailing lists > Public > xml-dist-app@w3.org > March 2001

RE: Security

From: Clemens F. Vasters <clemensv@newtelligence.com>
Date: Fri, 16 Mar 2001 00:13:00 +0100
Message-ID: <2464EE65E1A8E248A9AEE64007F871030799B6@DEEPSPACE.newtelligence.com>
To: "Joseph Ashwood" <jashwood@arcot.com>, <xml-dist-app@w3.org>
Hi Joseph,
 
pardon me for jumping in out of the void (since I am really only
watching this list), and I am really only responding to this particular
message from you, so I may be entirely off the mark here:
 
I think that what Satoshi Hada and Hiroshi Maruyama from IBM Research in
Tokyo are working on (and has partly submitted to the W3C) by using PKI
signatures and PKI based encryption through SOAP header extensions
sounds like a good solution for both authentication and privacy with
protocols that are loosely coupled or essentially one-way and will not
allow negotiation. (Applies to both, RPC and messaging)
 
( http://www.trl.ibm.com/projects/xml/soap/wp/wp.html)
 
I understand that mandating PKI for XML protocol authentication may not
meet the "simplicity" requirements, but when we're talking security for
scenarios where you have no immediate connection between sender and
recipient (this is also true for intermediate hops on synchronous
links), I don't see any better way than using certificates to guarantee
authenticity of messages. When you take that road, privacy protection
comes more or less automatically with it.
 
Regards,
Clemens
 
 

	-----Original Message----- 
	From: Joseph Ashwood 
	Sent: Thu 3/15/2001 11:31 PM 
	To: xml-dist-app@w3.org 
	Cc: 
	Subject: Security
	
	

	This conversation pretty much started on the SOAP list but I
think it's far
	more applicable here.
	
	To give a quick summary of what has happened so far:
	There are no encryption/integrity methods that are really
suitable for
	remote procedure calls. So it has been suggested that progress
be made in
	that direction. This stems from a requirement for burst-type
communications
	(commonly done over SMTP for SOAP), where negotiations are
difficult.
	
	I was going to look into this some but I'm not sure what
requirements people
	are likely to have. Do you want enough rope to be able to hang
yourself very
	thoroughly? Or do you want strong guidelines that will limit
diversity, but
	give you only solutions that are strong?
	
	What suitable compromises do you want to see? Do you want only a
small
	number of ciphers , MAC, etc, that are secure and freely
available? or do
	you want to be able to put your own prefered ciphers to use with
minimal
	trouble?
	
	Any input would be greatly appreciated.
	                Joe
	
	
Received on Thursday, 15 March 2001 18:15:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:58:59 GMT