W3C home > Mailing lists > Public > xml-dist-app@w3.org > January 2002

Re: Draft registration of application/soap+xml

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 4 Jan 2002 14:43:16 -0800
To: Mark Baker <distobj@acm.org>
Cc: Rich Salz <rsalz@zolera.com>, xml-dist-app@w3.org
Message-ID: <20020104144316.A30252@mnot.net>

Perhaps we'd avoid some confusion if we split Security Considerations
up into traditional concerns (confidentiality, integrity,
authentication, authorisation, etc.) and these other concerns (as
it's a fairly unique application framework that can be overlayed onto
other application-layer protocols).

Something like 

3. Security Considerations

3.1 SOAP-Specific Security Considerations

3.2 Use of SOAP with Substrate Protocols

3.2.1 Tunnelled

3.2.2 Non-Tunneled





On Fri, Jan 04, 2002 at 05:16:54PM -0500, Mark Baker wrote:
> > Ah, got it.
> 
> Excellent!
> 
> >  My perception "Security Considerations" usually refers to 
> > issues within the thing being defined, and (much) less so its 
> > implications on others.  For example, "the password could be exposed," 
> > and not "this may result in arbitrary code being executed in your 
> > webserver." :)
> 
> You're absolutely right that security considerations usually refers to
> those things (MarkN said the same thing to me), but I felt that this
> topic was the most important security consideration for using SOAP.
> Firewall admins are going to want to know whether they should trust
> application/soap+xml content, so I want us to be frank about the
> implications of it.
> 
> > I think sec3 is wrongly-oriented, but don't (yet) have alternative text 
> > to propose.
> 
> Then put on your thinkin' cap!  8-) I'm open to any any and all
> suggestions to improve on it.  But I hope you agree that discussing
> what I explained to you is an important topic.
> 
> MB
> -- 
> Mark Baker, Chief Science Officer, Planetfred, Inc.
> Ottawa, Ontario, CANADA.      mbaker@planetfred.com
> http://www.markbaker.ca   http://www.planetfred.com
> 

-- 
Mark Nottingham
http://www.mnot.net/
 
Received on Friday, 4 January 2002 17:43:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:05 GMT