- From: Henrik Frystyk Nielsen <frystyk@microsoft.com>
- Date: Sat, 13 May 2000 10:54:28 -0700
- To: <dick@8760.com>, "Dave Winer" <dave@userland.com>, "Anders W. Tell" <anderst@toolsmiths.se>, "Wesley M. Felter" <wesf@cs.utexas.edu>
- Cc: "Edd Dumbill" <edd@usefulinc.com>, <xml-dist-app@w3.org>, <dick@8760.com>
> I've read both Ken and Daves "position statements" with regard to Web RPC's > and I believe Ken has identifed real, practical concerns that must be > addressed. The SOAP and XML-RPC specs seem to ignore the security issues > that are so important to companies building E-Commerce applications. > Security issues are a pain to deal with - but essential for E-Commerce. Even > the W3C pointed to this obvious lack of security considerations in the SOAP > submission, ref: The important point here is that SOAP really doesn't do much - it defines an envelope with a message path model and proposes an encoding mechanism and a convention for using it for RPC is that is what you like. There is no explicit mention of security because the hooks provided can apply to any feature: you can apply it below (as transport), above (as SOAP headers) and we were careful to allow for nested SOAP envelopes so you can apply it to a SOAP envelope as well. SOAP doesn't define *a* security policy because we expect that there is need for multiple policies and even capability for negotiating which one to use depending on the context (commerce, medical etc.) but that is not for the base SOAP to do. Regarding whether RPC is harmful, it is fundamentally a question of whether you believe in human rights applied to protocols: communicating parties must have equal right for expressing capabilities and policies but more about that at the WWW9 panel. Henrik
Received on Saturday, 13 May 2000 14:26:31 UTC