Lists Home |
Date Index |
On Sat, 23 Nov 2002 09:42:13 -0800 (PST), m a r l o n . n e l s o n <firstname.lastname@example.org>
> My question now is, what role does security play in all this? How secure
> is the 'city'?
As best I understand it, the city is as secure as the garrison behind the
walls, i.e. the infrastructure that is already in place for authentication,
authorization, encryption, non-repudiation, signatures, etc. WS-Security
only claims to provide a mechanism for identifying and exchanging security
tokens so that the security parameters can be negotiated over the Web.
Since most of what people do with web services now is negotiated up front
rather than in real time when services are invoked, the "insecurity" of web
services is a red herring: businesses can negotiate a mechanism for
exchanging security tokens, or use a proprietary security scheme, or
whatever. Conversely, if WS-Security became a universally supported
standard tomorrow, that wouldn't make web services secure unless the
parties invest in the security infrastructure they would need to secure
their human-centric web applications, their COM/CORBA applications, etc.
The standards just make it a bit easier to handle the boring details, they
don't create secure web service environments.