OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]


From: Paul Prescod [mailto:paul@prescod.net]

"Bullard, Claude L (Len)" wrote:

>> Be sure that only idiots would expose their non-trivial business documents to
>> "the Web" through any kind of interface.  Nothing gives a competitor such advantages as
>> to be able to see this stuff.  

>How does a competitor get through the authentication? They steal a
>password? If they can do that, why can't they steal a password to your
>VPN or your webserver?

Because those documents are not on the web.  Period.  The RFP (request) may be 
and often is, but not the response.  See the difference?  Different 
policies govern different document types.

>> ... That is why contracts for proposal responses include language
>> about the public dissemination of the documents submitted.

>Highly secret documents can be "on the web". If you don't have the
>password you don't get the document. Putting it behind six layers of RPC
>adds no security. It boils down to: if you don't have the password you
>don't get the document. (where password is broadly interpreted as
>password, capability, private key, etc.)

Highly secret documents on the web are owned by idiots.  Most of the 
time, one avoids doing business with idiots.  When unavoidable, one 
limits exposure through contract language and remediation.  As Orchard 
points out, contracting in automagic form would be very difficult.  My 
guess at this time is that the toolkit provider will provide a means 
to add web service interfaces to the toolkit post negotiation.  Then 
an authentication process takes over.  The trick is reselling that 
interface in products.  Who is the buyer and who makes the deal? 
I don't know.  I could speculate that it will be based on the same 
kind of contracts that VARs use or something similar.

>You're building this wonderful system based on the software you get on
>MSDN CDs. And you trust it to maintain your security more than you do
>Apache?

Spy Vs Spy.  Trust No One.

>If the secret to security is "business professionals using requirements
>derived from contracts derived from proposals" then I guess we'll soon
>see an end to all of the hacking going around. All they need is a few
>more dollars on business professionals and requirements, right? That's
>enough to stop Microsoft from having any more massive holes in their
>operating system. That'll stop IBM's 4758 cryptographic co-processor
>from being hacked next time. It will prevent security leaks at the
>Japanese State Agency and major computer theft at Barclay's bank?

I agree with you.  See above.  One has to be somewhat dazed to expose 
their assets like that.  Anyway, this isn't about an attack on MS. 
I think they are aware of their problems.  Gates has been beating 
it into their heads.  But the Net itself was never really designed 
for secure communications.  That is why the In the Know guys use 
Intellink.  We've had to dupe the public to use "The Web" and 
they are only now waking up to the depth of that duplicity.
 
>Security is a discipline.

Yes.  I've worked in worlds that know that.  They build emission  
proof vaults, etc.  Part of the education of the public that will 
come as a shock to some is just how much of their privacy is now 
a historical oddity.  Guess who made that easier to dispose of? 
We did.  With The Web.  And a rigged vote in Florida that put 
folks in charge with a very loose sense of patriotism.

http://www.guardian.co.uk/Columnists/Column/0,5673,651975,00.html

>Len, I have no idea what you are talking about. URLs can be used
>stupidly. Yes. So? Nobody said that you should turn off access controls.
>At some level your business documents have to interface with the Web.

No they don't.  That's the point.  And when they do, we will make sure 
that only low criticality items move back and forth.  Part of the discipline 
of security is that an asset has a security class and all operations on 
it are made in the context of that class.  Choose wisely.

>They flow to your business partners over HTTP. The only question is
>whether you take advantage of that and use the Web to secure them or
>just stack security flaws in SOAP implementations on top of whatever
>security flaws there may be in HTTP implementations.

They also go FedEx.  One can always hijack a truck or an airliner, 
but most business deals aren't worth that.  The more difficult 
problem is exposing safety security systems.  The web is slightly 
better than using the radio.  Scanners are a petty criminal's 
best friend.  It takes a bit more knowledge to scan the web.

But not much.  Like the scanner, companies sell you the 
technology shrinkwrapped and ready to use.

And IBM claims this is a new utility?  Not without regulators. 
So, what do you think is coming next?

len




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS