RE: XML protocol security

What exactly did IBM demonstrate? Why is this a hole in SOAP?

Thanks.

-----Original Message-----
From: Michael Condry [mailto:Michael.Condry@eng.sun.com]
Sent: Wednesday, May 17, 2000 6:31 PM
To: Constantine Plotnikov; xml-dist-app@w3.org
Subject: Re: XML protocol security


Not clear if you are using it this way. SSL will not
fix this.

IBM showed a great example of SOAP holes  in the 
W3C conference (WWW9) today.

>I think that security is out of scope of XML RPC layer.
>It is layer on top of it. Like SSL is a layer above
>TCP or other stream protocol. 
>
>Because such layers was not fixed yet. I think that we are 
>in unique situation that can allow us to promote other security 
>models. I found capabilty based security very interesting
>model. It is quite unlike ACL model and I think that it suit
>web more becuse it will work better in decentralized web. 
>More information is available at:
>
>http://www.skyhunter.com/marcs/capabilityIntro/index.html
>http://www.caplet.com/security/taxonomy/index.html
>
>Basically I think that there should be following logical 
>layers:
>1. (Secure) Transport Layer (examples: TCP+SSL, https, ...)
>2. Messaging layer (XML-RPC)
>3. Secure Distributed Object Model 
>
>The diffculty with ACL is that they make proofs in layer 3 
>quite difficult. Sandbox model is an variant of it.
>
>The difficulty with capability based secutrity is that this 
>model do not have ready to use simple paradigms of 
>administration. At least I have not found it. I have some
>ideas but have not yet tested them. Capability based security
>is very natural model for mediating services.
>
>Constantine
>

Received on Monday, 22 May 2000 18:30:18 UTC