RE: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall
From: Dick Brooks (dick_at_tech-comm.com)
Date: 05/02/03
- Previous message: Chuck Swiger: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
- In reply to: Mason Schmitt: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
- Next in thread: Chuck Swiger: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Fri, 2 May 2003 09:46:14 -0700
And people say security folks have no sense of humor...
Seriously, SOAP 1.1 [1] doesn't specify any security functions, but instead
relies on the underlying "carrier", in this case HTTP(S), to provide access
control (basic authentication) and transport level confidentiality (SSL).
If you are using SOAP with Attachments [2] then you can also sign/encrypt
your business data using PGP or S/MIME. It's also possible to stuff a S/MIME
or PGP encrypted/signed document into a SOAP body element, but this requires
"special" handling using base64 and can get quite ugly.
The bottom line, IMO, security functions can be added to SOAP 1.1, but SOAP
itself doesn't define specific security characteristics. Interoperability is
another challenge when you combine security functions with SOAP.
[1] http://www.w3.org/TR/SOAP/
[2] http://www.w3.org/TR/SOAP-attachments
Regards,
*** Brooks
Independent Consultant
B2B Integration and Cyber Security
Mobile:602-684-1484
eFax:240-352-0714
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Mason
Schmitt
Sent: Friday, May 02, 2003 7:58 AM
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall
On Fri, 2003-05-02 at 06:52, Marcus J. Ranum wrote:
> Mason Schmitt wrote:
> >What I'm curious about is whether the members of this list have any
> >concerns with soap as a method of doing RPC and whether there are any
> >firewall concerns.
>
> No concerns - Soap is from Microsoft, so it's OK.
> Remember, Microsoft got serious about security last year, and fixed
> all the flaws in thier code. I think they spent a whole month or something
> like that doing it. I'm sure that Soap's fine, now.
>
I'm sure that a month is more than enough time to bring the whole
windows family up to an acceptable level of security... Look at how
they solved the attachment issue in outlook - just don't allow people
the option of receiving attachments. Grrr...
All joking aside though, didn't soap grow out of XML RPC? Not that that
necessarily means anything from a security standpoint... I'm just
wondering if anyone has any caveats concerning soap that I may be
missing.
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chuck Swiger: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
- In reply to: Mason Schmitt: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
- Next in thread: Chuck Swiger: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
