RE: Web RPCs Considered Harmful from Dick Brooks on 2000-05-13 (xml-dist-app@w3.org from May 2000)

From: Dick Brooks <dick@8760.com>
Date: Sat, 13 May 2000 10:44:45 -0500
To: "Dave Winer" <dave@userland.com>, "Anders W. Tell" <anderst@toolsmiths.se>, "Wesley M. Felter" <wesf@cs.utexas.edu>
Cc: "Edd Dumbill" <edd@usefulinc.com>, <xml-dist-app@w3.org>, <dick@8760.com>
Message-ID: <NDBBIOBLMLCDOHCHIKMGGEPJDAAA.dick@8760.com>

I've read both Ken and Daves "position statements" with regard to Web RPC's
and I believe Ken has identifed real, practical concerns that must be
addressed. The SOAP and XML-RPC specs seem to ignore the security issues
that are so important to companies building E-Commerce applications.
Security issues are a pain to deal with - but essential for E-Commerce. Even
the W3C pointed to this obvious lack of security considerations in the SOAP
submission, ref:

"SOAP is one of the existing protocols in the domain of XML based protocols.
However its object serialization scheme needs to be more explicit, as in the
architectural model of HTTP-NG, where inheritance or method description
issues were addressed. Also we think that security considerations should
have a central place in such a design, as it is always more difficult, if
not impossible, to add security afterwards.

Yves Lafon, W3C lead for Jigsaw Activity <ylafon@w3.org>
$Date: 2000/05/08 20:28:43 $ "

The US Government Critical Infrastructure Surety Team performs protocol
analysis to determine the vulnerabilities of a protocol intended for mission
critical, E-Commerce applications deployed over the Internet. If you want
people to deploy XML-RPC or SOAP in their E-Commerce applications over the
Internet, you need to provide a high degree of confidence that the approach
is "safe". I suggest you get a respected group, such as the one I mentioned,
to perform a surety analysis and publish the results on this list.

IMHO, both SOAP and XML-RPC are seriously negligent with regard to the
security requirements of E-Commerce applications.

Dick Brooks
http://www.8760.com/

-----Original Message-----
From: xml-dist-app-request@w3.org [mailto:xml-dist-app-request@w3.org]On
Behalf Of Dave Winer
Sent: Saturday, May 13, 2000 9:59 AM
To: Anders W. Tell; Wesley M. Felter
Cc: Edd Dumbill; xml-dist-app@w3.org
Subject: Re: Web RPCs Considered Harmful


I posted my response to Ken's caveat here:

http://soap.weblogs.com/discuss/msgReader$58

Dave

Received on Saturday, 13 May 2000 11:48:31 UTC