- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 4 Jan 2002 14:43:16 -0800
- To: Mark Baker <distobj@acm.org>
- Cc: Rich Salz <rsalz@zolera.com>, xml-dist-app@w3.org
Perhaps we'd avoid some confusion if we split Security Considerations up into traditional concerns (confidentiality, integrity, authentication, authorisation, etc.) and these other concerns (as it's a fairly unique application framework that can be overlayed onto other application-layer protocols). Something like 3. Security Considerations 3.1 SOAP-Specific Security Considerations 3.2 Use of SOAP with Substrate Protocols 3.2.1 Tunnelled 3.2.2 Non-Tunneled On Fri, Jan 04, 2002 at 05:16:54PM -0500, Mark Baker wrote: > > Ah, got it. > > Excellent! > > > My perception "Security Considerations" usually refers to > > issues within the thing being defined, and (much) less so its > > implications on others. For example, "the password could be exposed," > > and not "this may result in arbitrary code being executed in your > > webserver." :) > > You're absolutely right that security considerations usually refers to > those things (MarkN said the same thing to me), but I felt that this > topic was the most important security consideration for using SOAP. > Firewall admins are going to want to know whether they should trust > application/soap+xml content, so I want us to be frank about the > implications of it. > > > I think sec3 is wrongly-oriented, but don't (yet) have alternative text > > to propose. > > Then put on your thinkin' cap! 8-) I'm open to any any and all > suggestions to improve on it. But I hope you agree that discussing > what I explained to you is an important topic. > > MB > -- > Mark Baker, Chief Science Officer, Planetfred, Inc. > Ottawa, Ontario, CANADA. mbaker@planetfred.com > http://www.markbaker.ca http://www.planetfred.com > -- Mark Nottingham http://www.mnot.net/
Received on Friday, 4 January 2002 17:43:18 UTC