Print

Print


Hi all,

Here are some results of my question about security enhancing by means of
XML. I summarize some reactions en make some sort of conclusion on which
I would like your reactions.

First of all the term 'security' has several meanings: Confidentiality,
authentication, integrity and non-repudiation. (according to the article
"Cryptography and the Web" http://www.w3journal.com/7/s3.crypt.wrap.html)

Combining e-mail reactions with web-search and talking to people, I have
com to the following (IMHO)

XML is unfit for all of the above mentioned security issues. Securing a
document should be left to a method on a lower level such as SHTTP or
SSL. XML gives us a way to structure (DTD) the data we want to send. XML
operates on an abstract (logical) level where security questions are out
of place.


XML does enable some security-related issues. For example:

Authorization (see Scott Roth'posting)
Create different views for different users by means of DTD.

Choice of security-protocol to be used (see Charles Chou's posting)
XML can be used to convey the security protocol which two applications
are going to use in their communication.


My conclusion is:
XML is unable to solve security-problems. It is very logical that this is
not possible from the viewpoint of XML's abstract data-modelling role in
data communication.


I would be interested to know what you all think about this.

Greetings
Mark Wiggerman

[log in to unmask]
ABN AMRO Bank
Project Applied Security



My original posting:
-------------------------------------------------------------------------
>Hi,
>
>I am interested in how XML (and related standards) can create or improve
>secure communication over the Internet.
>Does anyone know of projects where XML played a role in securing
>web-communications?
>
>I have found a proposed standard on digital signatures using XML
>(http://search.ietf.org/internet-drafts/draft-ietf-trade-xml-sig-00.txt
),
>but this proposed standard doesn't create a signature from the complete
>XML-document, just the sender, DTD-source-address and some other
>elements. So "the authentication is therefore indirect". For me this is
>just not good enough.
>
>I am looking forward to your reactions,
>
>Mark Wiggerman
>------------------------------------------------------------
>Mark Wiggerman
>[log in to unmask]
>------------------------------------------------------------
>

-------------------------------------------------------------------------
Well,

I know xml can help with security in a variety of ways.  I have seen XML
used with XSL to give specific type views to certain users based on their
login rights.  Then you can have content specific security also.  If you
want more info on this kinda stuff let me know.  Also I think DTDs could
increase security too...

Scott Roth

-------------------------------------------------------------------------

I believe the draft deals with only the authentication of the XML document
itself, not Internet security in general. The reason for the indirection
is
to authenticate the source and the resources an XML document represents,
as
anyone can authenticate a "false", or "misleading" XML document.
You may use XML to convey a security protocol used in your application
which
may include, in addition to authentication, authorization parameters,
resource locations and perhaps some "proprietary" communication channels
which the application can later use to establish secure communications and
exchange data, which may also be XML documents.

Regards,
Charles Chou
Icon CMT Corp.
-------------------------------------------------------------------------