RE: XML protocol security

There is one aspect of security with regard to transporting data that I'd
like to mention.
It may be discussed in the different protocols listed in the matrix, but I
wanted to make sure people were aware of it.

You can encrypt the transport and you can encrypt the message. If a
router/gateway/server needs to look at the body of the message in order to
handle the message, then the security on the body is compromised. So if an
XML message has information on the 'outside' that helps a router get the
message to the right destination, then the information on the 'inside' needs
to be able to be encrypted.
There is an example in the world of WAP and HTTP. When a message is sent
from a cell phone, it goes (theoretically) over an encrypted transport to a
WAP gateway. This gateway then acts like a proxy and translates the request
into HTTP and sends the request on its way. However, the WAP format uses a
form of certificates/encryption that are incompatible with the Web's
X.509/HTTPS - so the gateway decrypts the message & re-encrypts it via
X.509/HTTPS etc. (I'm not an expert so this description is not guaranteed to
be accurate at the detailed level.) This is such a big hole in security that
some banks buy a WAP gateway, install it behind their corporate firewall &
have a secure link to the cell phone companies telephone network. But banks
don't like this - they aren't in the business of software development and
managing servers. This will slow the adoption of wireless e-commerce. 

So... make sure that messages can be routed with being fully decrypted.


Received on Thursday, 18 May 2000 11:56:54 UTC