[
Lists Home |
Date Index |
Thread Index
]
> It's a slight overstatement -- very occasionally it is, in fact, necessary
> to make uncomfortably large specifications -- but for the most part, I agree
> with it. Profiles are a pragmatic way to salvage something from a morbidly
> obese specification, but they also significantly increase compatibility
> problems: if you have n different profiles, then you have n^2-1 lines of
> incompability.
Sometimes a spec isn't huge, but is instead a simple container. Many
security specs are written this way. For example, the IETF has profiled
X.509 certificates and Liberty is a profile of SAML.
Sometimes (again, in the security world), the data format itself must be
well-designed or it can be a weak spot. For example, Bleichenbacher's
attack that made newspaper hbeadlines in 1998 was because he found a
weakness in how the RSA signature was padded to fill out a buffer. So,
once you get a secure data format, you often leave it "open" so that
various crypto mechanisms (RSA, DSA, etc) can be used within that data
format. In this case, you need a profile to determine which crypto to
actually use. An example of this is WS-I Basic Security Profile of
WS-Security, which itself profiles/specifies/refines how to use XML DSIG
and XML Encryption to cryptographically secure SOAP messages.
Hope this helps.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
