Re: XML protocol security

I think that security is out of scope of XML RPC layer.
It is layer on top of it. Like SSL is a layer above
TCP or other stream protocol. 

Because such layers was not fixed yet. I think that we are 
in unique situation that can allow us to promote other security 
models. I found capabilty based security very interesting
model. It is quite unlike ACL model and I think that it suit
web more becuse it will work better in decentralized web. 
More information is available at:

Basically I think that there should be following logical 
1. (Secure) Transport Layer (examples: TCP+SSL, https, ...)
2. Messaging layer (XML-RPC)
3. Secure Distributed Object Model 

The diffculty with ACL is that they make proofs in layer 3 
quite difficult. Sandbox model is an variant of it.

The difficulty with capability based secutrity is that this 
model do not have ready to use simple paradigms of 
administration. At least I have not found it. I have some
ideas but have not yet tested them. Capability based security
is very natural model for mediating services.


Received on Wednesday, 17 May 2000 09:20:21 UTC