- From: Sanjiva Weerawarana <sanjiva@watson.ibm.com>
- Date: Tue, 23 May 2000 03:22:42 -0400
- To: "Andrew Layman" <andrewl@microsoft.com>, <Michael.Condry@eng.sun.com>, <xml-dist-app@w3.org>
Andrew writes: >What exactly did IBM demonstrate? Why is this a hole in SOAP? > >Thanks. > >-----Original Message----- >From: Michael Condry [mailto:Michael.Condry@eng.sun.com] >Sent: Wednesday, May 17, 2000 6:31 PM >To: Constantine Plotnikov; xml-dist-app@w3.org >Subject: Re: XML protocol security > > >Not clear if you are using it this way. SSL will not >fix this. > >IBM showed a great example of SOAP holes in the >W3C conference (WWW9) today. *IBM* did not demonstrate anything. An IBM employee (Andrew Donoho) showed an example of communicating between two browsers by sharing some parts of the DOM. Either I didn't grok the demo or I personally don't see a SOAP level security flaw with what he showed .. it showed that DOM access was what browsers were all about and that you could share the DOM between two browsers using SOAP as a transport. (He was using a SOAP 1.0 implementation, but I don't think that's relevant.) What Andrew showed in no way forms an *IBM* position on SOAP security. At the same time, neither does this message! I personally think that a security layer above SOAP is necessary and useful, however, I disagree that SOAP itself is flawed because it doesn't come in with built-in security. Sanjiva.
Received on Tuesday, 23 May 2000 03:23:05 UTC