Re: Web RPCs Considered Harmful

OK, if that's what this is about, we've already crossed this line. We
operate in a restricted sandbox server-side. I think Wes outlined the way to
approach this. I'm looking for help, not brakes. I see xml-rpc and soap as
mere formalizations of what we're already doing, all over the Web, through
cgis, asps, jsps, etc. To try to put the genie back in the bottle is a big,
undoable task, imho, and also not worthwhile. Users want web apps, so they
will have them (they already do). Dave

----- Original Message -----
From: "Ken MacLeod" <>
To: <>
Sent: Saturday, May 13, 2000 10:02 AM
Subject: Re: Web RPCs Considered Harmful

> "Dave Winer" <> writes:
> > What would be the most practical, easy and low-tech way to add a
> > layer of security, using current best-practices of the Internet?
> >
> > Rather than seeing this a time to put the brakes on, could we get
> > into problem solving mode and have an answer that can easily be
> > implemented in conjunction with the RPC work?
> Since the problem is not one of active security (access control), but
> of passive security (unintended faults), the solution isn't really
> something one puts into a specification.
> The current best-practice of the Internet for solving the passive
> security problem is "sandboxing", highly restricting the environment
> and access to resources from where code runs so that when that code
> fails it is still confined to the sandbox.
> Java and JavaScript, as examples, are designed with sandboxing as a
> core feature.
>   -- Ken

Received on Saturday, 13 May 2000 13:30:39 UTC