On Mon, 7 May 2001, Rusty wrote:
> I, for one, will always block SOAP because it was spawned by
> Mickeysoft and I have never seen anything "secure" from that bunch.
that alone shouldn't be enough to dismiss anything. let's face it, nearly
every company turns out crap, and if we applied that logic (they've turned
out crap before, they can't do it right) we'd be stuck going nowhere.
instead, evaluate it based on its merits.
SOAP is based on RPC and HTTP, two protocols which, alone, lack any decent
security measures. together, its a mess. from section 8 in the draft
standard (version 1.1, available at http://www.w3.org/TR/SOAP/):
8. Security Considerations
Not described in this document are methods for integrity and
privacy protection. Such issues will be addressed more fully in a
future version(s) of this document.
that's certainly not good. however, the whole thing is extendable enough
that stronger authentication mesures could be placed in there. they're
just not yet there.
bear in mind that SOAP was designed to get around those pesky firewalls
and bastard administrators who want to limit your productivity (under the
guise of 'protecting the infrastructure'). bahh! who needs that? (sarcasm,
folks, sarcasm ...)
again, we're in the quandry: facile communication balanced with security
concerns.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
