xml-dev - Re: [xml-dev] SOAP-RPC and REST and security

Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] SOAP-RPC and REST and security
From: Paul Prescod <paul@prescod.net>
Date: Wed, 20 Feb 2002 21:59:11 -0800
References: <4F4182C71C1FDD4BA0937A7EB7B8B4C1020ED18F@red-msg-08.redmond.corp.microsoft.com>

Joshua Allen wrote:
> 
>...
> 
> Like when I create a PPTP tunnel over the Internet to dial in to my corporate account?  

We're talking about application protocols. They have semantics.

>...
> I will boil your long argument down to this:  you claim that HTTP in 
> a REST model is secure, 

Security is not a boolean property. Architectures and standards promote
or hurt the likelihood of secure implementations. 

> ... because an admin can trust that a GET does not modify 
> resources, and he can control access to other more 
> "dangerous" verbs.  

It isn't one thing. Idempotent GET is just an example. It is in general
about making the message's meaning known to the firewall explicitly by:

 a) choosing a unique port
 b) having a consistent, simple structure
 c) having well-defined semantics
 d) having a transparent addressing model

SOAP scores poorly on all of these criteria. It flouts all Internet
protocol labeling conventions.

Does that mean that SOAP is "insecure?" No. Does it mean that SOAP will
exact a higher price in terms of break-ins and product prices than it
otherwise would. I think so. Time will tell.

 Paul Prescod

References:
- RE: [xml-dev] SOAP-RPC and REST and security
  - From: "Joshua Allen" <joshuaa@microsoft.com>

Prev by Date: Re: [xml-dev] SOAP-RPC and REST and security
Next by Date: RE: [xml-dev] SOAP-RPC and REST and security
Previous by thread: RE: [xml-dev] SOAP-RPC and REST and security
Next by thread: RE: [xml-dev] SOAP-RPC and REST and security
Index(es):
- Date
- Thread