OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: Web RPCs Considered Harmful

[ Lists Home | Date Index | Thread Index ]
  • From: "Dick Brooks" <dick@8760.com>
  • To: "Dave Winer" <dave@userland.com>, <xml-dev@xml.org>
  • Date: Sat, 13 May 2000 10:46:11 -0500

I've read both Ken and Daves "position statements" with regard to Web RPC's
and I believe Ken has identifed real, practical concerns that must be
addressed. The SOAP and XML-RPC specs seem to ignore the security issues
that are so important to companies building E-Commerce applications.
Security issues are a pain to deal with - but essential for E-Commerce. Even
the W3C pointed to this obvious lack of security considerations in the SOAP
submission, ref:

"SOAP is one of the existing protocols in the domain of XML based protocols.
However its object serialization scheme needs to be more explicit, as in the
architectural model of HTTP-NG, where inheritance or method description
issues were addressed. Also we think that security considerations should
have a central place in such a design, as it is always more difficult, if
not impossible, to add security afterwards.

Yves Lafon, W3C lead for Jigsaw Activity <ylafon@w3.org>
$Date: 2000/05/08 20:28:43 $ "

The US Government Critical Infrastructure Surety Team performs protocol
analysis to determine the vulnerabilities of a protocol intended for mission
critical, E-Commerce applications deployed over the Internet. If you want
people to deploy XML-RPC or SOAP in their E-Commerce applications over the
Internet, you need to provide a high degree of confidence that the approach
is "safe". I suggest you get a respected group, such as the one I mentioned,
to perform a surety analysis and publish the results on this list.

IMHO, both SOAP and XML-RPC are seriously negligent with regard to the
security requirements of E-Commerce applications.

Dick Brooks
http://www.8760.com/

-----Original Message-----
From: owner-xml-dev@xml.org [mailto:owner-xml-dev@xml.org]On Behalf Of
Dave Winer
Sent: Saturday, May 13, 2000 10:01 AM
To: xml-dev@xml.org
Subject: Re: Web RPCs Considered Harmful


I posted my response to Ken's caveat here:

http://soap.weblogs.com/discuss/msgReader$58

Dave





***************************************************************************
This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/
***************************************************************************


***************************************************************************
This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/
***************************************************************************




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS