- From: <Noah_Mendelsohn@lotus.com>
- Date: Tue, 23 May 2000 11:45:12 -0400
- To: Michael Condry <Michael.Condry@eng.sun.com>
- Cc: andrewl@microsoft.com, Michael.Condry@eng.sun.com, xml-dist-app@w3.org, Andrew_Donoho/Austin/IBM@lotus.com
Andrew Donaho of IBM demonstrated an experimental implementation of SOAP
glue into the DOM exposed by a browser. One machine can therefore script
anothers UI and browser content.
In general, if you expose an insecure API to the network, you will be
raising security issues. I believe that any industrial strength
implementation of such DOM/network services would have to have a carefully
fleshed out security architecture. Of course, there is a broader question
as to whether exposing such a DOM is the right thing to do, and security
is part of that question. It's not fundamentally a SOAP issue...it's that
you are making a big mistake if you run any of these systems (SOAP,
XML-RPC, etc.) in a mode where it has access to arbitrary objects on your
system, or to particular objects without the appropriate security in
place.
------------------------------------------------------------------------
Noah Mendelsohn Voice: 1-617-693-4036
Lotus Development Corp. Fax: 1-617-693-8676
One Rogers Street
Cambridge, MA 02142
------------------------------------------------------------------------
Michael Condry <Michael.Condry@eng.sun.com>
Sent by: xml-dist-app-request@w3.org
05/22/00 06:42 PM
Please respond to Michael Condry
To: Michael.Condry@eng.sun.com, xml-dist-app@w3.org, andrewl@microsoft.com
cc: (bcc: Noah Mendelsohn/CAM/Lotus)
Subject: RE: XML protocol security
I asked IBM to clarify.
Received on Tuesday, 23 May 2000 11:51:29 UTC