|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Browser innovation efforts -- where's W3C in thispicture?
> It's a slight overstatement -- very occasionally it is, in fact, necessary > to make uncomfortably large specifications -- but for the most part, I agree > with it. Profiles are a pragmatic way to salvage something from a morbidly > obese specification, but they also significantly increase compatibility > problems: if you have n different profiles, then you have n^2-1 lines of > incompability. Sometimes a spec isn't huge, but is instead a simple container. Many security specs are written this way. For example, the IETF has profiled X.509 certificates and Liberty is a profile of SAML. Sometimes (again, in the security world), the data format itself must be well-designed or it can be a weak spot. For example, Bleichenbacher's attack that made newspaper hbeadlines in 1998 was because he found a weakness in how the RSA signature was padded to fill out a buffer. So, once you get a secure data format, you often leave it "open" so that various crypto mechanisms (RSA, DSA, etc) can be used within that data format. In this case, you need a profile to determine which crypto to actually use. An example of this is WS-I Basic Security Profile of WS-Security, which itself profiles/specifies/refines how to use XML DSIG and XML Encryption to cryptographically secure SOAP messages. Hope this helps. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||

Cart








