OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

Joshua Allen wrote:
> Like when I create a PPTP tunnel over the Internet to dial in to my corporate account?  

We're talking about application protocols. They have semantics.

> I will boil your long argument down to this:  you claim that HTTP in 
> a REST model is secure, 

Security is not a boolean property. Architectures and standards promote
or hurt the likelihood of secure implementations. 

> ... because an admin can trust that a GET does not modify 
> resources, and he can control access to other more 
> "dangerous" verbs.  

It isn't one thing. Idempotent GET is just an example. It is in general
about making the message's meaning known to the firewall explicitly by:

 a) choosing a unique port
 b) having a consistent, simple structure
 c) having well-defined semantics
 d) having a transparent addressing model

SOAP scores poorly on all of these criteria. It flouts all Internet
protocol labeling conventions.

Does that mean that SOAP is "insecure?" No. Does it mean that SOAP will
exact a higher price in terms of break-ins and product prices than it
otherwise would. I think so. Time will tell.

 Paul Prescod


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS