Re: TBTF: security considerations proposed text

> 
> TBTF'ers,
> 
> Henrik and I took an AI to draft langauge for the
> various security considerations sections in our
> specs (see below). We've worked it to a point
> that we believe we should bring this to the TBTF for
> consideration.
> 
> We welcome your comments.

Excellent work.  I agree with everything that's written.  But I feel
that we need to say more.

> Part 2
> 
> 8.6 Security Considerations (new sub-section in HTTP binding)
> 
>       The SOAP HTTP binding described in section 8 can be considered as
>       an extension of the HTTP application protocol. As such, all of the
>       security considerations identified and described in section 15 of
>       the HTTP specification[2] apply to the SOAP HTTP binding in
>       addition to those described in Part 1[1] of the SOAP specification
>       in section 4.x. Implementers of the SOAP HTTP binding SHOULD
>       carefully review this material.

Given that so much of what SOAP over HTTP is used for is tunneling, I
believe that we need to talk about the security implications of that,
since, for so many people, SOAP *means* tunneling (either with RPC, or
with out-of-band agreement on transfer semantics).  Specifically, I'd
like to see some wording about the dangers involved in disregarding the
safety inherrent in restrictive application interfaces, as I discussed
here;

http://lists.w3.org/Archives/Public/xml-dist-app/2002Jan/0047.html

I also talked about this in the media type draft (published version[1],
work-in-progress version[2]).  It would probably be a good idea if the
media type draft could reference the text from the spec.

 [1] http://www.markbaker.ca/2001/12/draft-baker-soap-media-reg
 [2] http://www.markbaker.ca/2001/12/draft-baker-soap-media-reg-01.txt

MB
-- 
Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.      mbaker@planetfred.com
http://www.markbaker.ca   http://www.planetfred.com

Received on Tuesday, 5 February 2002 12:36:28 UTC