Hello,
On Wed, 6 Jun 2001, Dr S N Henson wrote:
> > I don't think using RPC is a good idea.
> > You use a smartcard to provide security in a unsecure environment.
> > I don't want to send my PIN code in clear over RPC. You need to have
> > authentication, integrity and confidentiality of your networks
> > communications.
[snip]
> For accessing remote computers (which the original query was about)
> something like ssh or secure telnet using smart card based keys
> for authentication would be more appropriate.
Might I suggest something like SOAP or XML-RPC? (SOAP == Simple Object
Access Protocol.)
I'm actually only just learning about them myself, so what I'm about to
say may not be entirely accurate...
Both of these are mechanisms for doing RPC where the actual data passed
over the network is formatted as XML. I think it's a good idea because it
allows easy cross platform compatibility and also is implementation
language independent. Just about every language implementation has HTTP
and XML libraries, so it would be trivial for anyone to develop a wrapper
library that can speak to MUSCLE readers. And there's no need to link
against the MUSCLE libs or deal with whether SUN RPC has been ported to
your platform (think *very* small embedded systems on obscure hardware).
Neither spec mentions anything about security, but since they both run
over HTTP, using HTTPS (i.e. SSL) is pretty obvious. (And you don't HAVE
to use HTTP/HTTPS.)
Personally I like ssh, but it doesn't quite have the acceptance of SSL (no
flames, please!), and neither is it the whole solution (i.e. it doesn't
address the encoding for the RPC data). Something like XML-RPC over SSL
(requiring client certificates for full authentication) seems the way to
go. Or even XML-RPC over ssh if that works for you.
>From http://www.w3.org/TR/SOAP/
SOAP is a lightweight protocol for exchange of information in a
decentralized, distributed environment. It is an XML based
protocol that consists of three parts: an envelope that defines a
framework for describing what is in a message and how to process
it, a set of encoding rules for expressing instances of
application-defined datatypes, and a convention for representing
remote procedure calls and responses. SOAP can potentially be used
in combination with a variety of other protocols; however, the
only bindings defined in this document describe how to use SOAP in
combination with HTTP and HTTP Extension Framework
>From http://www.xmlrpc.com/spec
What is XML-RPC?
It's a spec and a set of implementations that allow software
running on disparate operating systems, running in different
environments to make procedure calls over the Internet.
It's remote procedure calling using HTTP as the transport and XML
as the encoding. XML-RPC is designed to be as simple as possible,
while allowing complex data structures to be transmitted,
processed and returned.
The "full" XML-RPC spec is here: http://www.xmlrpc.com/spec (it seems a
little TOO simple).
Added bonus is that you can do the RPC through firewalls (via HTTP
proxies) fairly easily.
I'm not sure what the technical differences are between SOAP and XML-RPC,
but there seems to be some political issues (i.e. what company supports
which standard).
Just some food for thought.
--Jeremy
Jeremy Impson
Sr. Associate Network Engineer
Advanced Technologies Department
Lockheed Martin Systems Integration
email: [EMAIL PROTECTED]
phone: 607-751-5618
fax: 607-751-6025
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
