Cart
[Home] [By Thread] [By Date] [Recent Entries]
On Sat, 23 Nov 2002 09:42:13 -0800 (PST), m a r l o n . n e l s o n <thesardonicwon@y...> wrote: > My question now is, what role does security play in all this? How secure > is the 'city'? As best I understand it, the city is as secure as the garrison behind the walls, i.e. the infrastructure that is already in place for authentication, authorization, encryption, non-repudiation, signatures, etc. WS-Security only claims to provide a mechanism for identifying and exchanging security tokens so that the security parameters can be negotiated over the Web. Since most of what people do with web services now is negotiated up front rather than in real time when services are invoked, the "insecurity" of web services is a red herring: businesses can negotiate a mechanism for exchanging security tokens, or use a proprietary security scheme, or whatever. Conversely, if WS-Security became a universally supported standard tomorrow, that wouldn't make web services secure unless the parties invest in the security infrastructure they would need to secure their human-centric web applications, their COM/CORBA applications, etc. The standards just make it a bit easier to handle the boring details, they don't create secure web service environments.
|
