Securing SOAP
administrator, API, applications, author, chief technology officer, Chris Dix, Common Object Request Broker Architecture, communications protocol, Component-based software engineering, CORBA, Cryptography standards, Distributed COM, encryption, engineer, EXist, Extensible Markup Language, FDA Phase, firewall, Genuity, HTTP, Inter-process communication, Internet standard way, Internet transactions, James Snell, Ken MacLeod, lightweight protocol, Microsoft, Microsoft Windows, Novell, Object-oriented programming, operating system, OS, PKI, programmer, public key infrastructure, Remote procedure call, RPC, secure protocol, SOAP, SOAP programmer, software components, software distribution system, SSL, upcoming XML Protocol, Verisign, W3C, Warwick Ford, web services, word processor, Xerox, XKMS, XML, XML protocol, XML-RPC
The leading contender for the communications protocol that facilitates the world’s business transactions is designed to transmit data over HTTP, in the clear. Although some of the creators of Simple Object Access Protocol (SOAP) have expressed concern, the consortium responsible for redrafting SOAP into the new Extensible Markup Language (XML) Protocol is nearing agreement that security is, simply put, not their problem. In the meantime — and possibly as a result– Microsoft and Verisign have just announced a new security procedure for person-to-person SOAP transactions, but a workable mechanism for securing Internet transactions between software and software may be years away. Some of SOAP’s architects contend that building security into their protocol would only sacrifice its simplicity, and that the HTTP sessions that SOAP transactions rely on can already be secured at the session level, with protocols such as SSL. Moreover, securing sessions from outside interception, security experts believe, cannot protect transactions from two other perceived threats: interception from the inside and bad programming. With a protocol extension to SOAP for message attachments in the works, a third possible threat emerges — one that too many have become familiar with: malicious scripts. Chris Dix, a SOAP programmer with FMStrategies, sides…