RE: XML protocol security

Wes,

I suggest adding "access controls and fine grained authorization mechanisms"
to your list.

Dick Brooks
http://www.8760.com/

-----Original Message-----
From: xml-dist-app-request@w3.org [mailto:xml-dist-app-request@w3.org]On
Behalf Of Wesley M. Felter
Sent: Saturday, May 13, 2000 11:28 AM
To: xml-dist-app@w3.org
Subject: XML protocol security


Here are my three thoughts about security:

Since most of the protocols discussed on this list let users define new
interfaces (i.e. they're really meta-protocols), there's no way to ensure
that all interfaces are designed with security in mind.

Even if a protocol is secure, that doesn't ensure that implementations are
secure. It seems to me that most security problems I've heard of were
implementation problems rather than protocol problems.

With those two sobering thoughts out of the way, what are people's
security needs? It's not enough to say that "foo is not secure", since
security is not one thing. I would expect an XML protocol to provide
authentication, integrity, and privacy; is there anything else that I'm
forgetting? Is a separation of authentication from authorization
desirable?

Wesley Felter - wesf@cs.utexas.edu - http://www.cs.utexas.edu/users/wesf/

Received on Saturday, 13 May 2000 15:14:06 UTC