- From: Mike Dierken <mike@DataChannel.com>
- Date: Thu, 18 May 2000 08:50:05 -0700
- To: "'xml-dist-app@w3.org'" <xml-dist-app@w3.org>
There is one aspect of security with regard to transporting data that I'd like to mention. It may be discussed in the different protocols listed in the matrix, but I wanted to make sure people were aware of it. You can encrypt the transport and you can encrypt the message. If a router/gateway/server needs to look at the body of the message in order to handle the message, then the security on the body is compromised. So if an XML message has information on the 'outside' that helps a router get the message to the right destination, then the information on the 'inside' needs to be able to be encrypted. There is an example in the world of WAP and HTTP. When a message is sent from a cell phone, it goes (theoretically) over an encrypted transport to a WAP gateway. This gateway then acts like a proxy and translates the request into HTTP and sends the request on its way. However, the WAP format uses a form of certificates/encryption that are incompatible with the Web's X.509/HTTPS - so the gateway decrypts the message & re-encrypts it via X.509/HTTPS etc. (I'm not an expert so this description is not guaranteed to be accurate at the detailed level.) This is such a big hole in security that some banks buy a WAP gateway, install it behind their corporate firewall & have a secure link to the cell phone companies telephone network. But banks don't like this - they aren't in the business of software development and managing servers. This will slow the adoption of wireless e-commerce. So... make sure that messages can be routed with being fully decrypted. Mike
Received on Thursday, 18 May 2000 11:56:54 UTC