|
Tuesday, July 02, 2002 |
|
the best alternative to X.509 PKI that never really went anywhere is still Rivest/Ellison's Simple Distributed Security Infrastructure(SDSI). The specs here lay out what I think are the best-to-date set of design goals. If you updated this for XML, you might really be on to something :). 11:49:00 PM 
|
|
Web services security and XML pixie dust. It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up. ... [Jon's Radio] hehe. if only someone would design a security standard that actually fit the requirements of the job instead of some overly formal, unnatural model of how trust translates into bits. 11:35:54 PM
|
|
>>>Application and data security has often been marked by a "it's good enough" lowest common denominator approach. My pragmatic bone tells me that web services will be the same悠 doubt most organizations will wait for or agree upon the perfect solution. [Brent Sleeper: Web Services] <<< The truth about security is that some amount of risk is inevitable, and more importantly, acceptable. it comes down to a cost/benefit question -- how much more risk have I alleviated by spending the money to implement and maintain this level of security. I think that the break even comes much earlier (at a much lower level of security) than most security experts and industry pundits are willing to acknowledge. I think this is why PKI has never gone anywhere -- ridiculously expensive to setup and maintain for the increment in real security you get relative to simpler and less expensive things. There is the risk that we're essentially building on a flood plain -- that we haven't seen the real threats yet that these increments in security would protect us against. But, I wouldn't bet on it. 11:18:26 PM
|
|
Is Security the #1 Obstacle? Commenting on my links last week to three eWeek articles on digital identity, Brent Sleeper writes, "If history with things like e-commerce is any indicator, it won't be as uniformly important as the conventional wisdom seems to indicate." Jon Udell addressed the same topic today.
My experiences are the same as Jon's. I, too, was convinced that PKI would take off in the late 90s. I had not just one, but two personal digital certificates. (Maybe that was part of the problem: I couldn't use my Netscape certificate with Microsoft software and vice versa.) As to web services, I think a much greater obstacle than sercurity is the lack of standards for business semantics. While the standards for web-services security have yet to be agreed to, we know how to solve the security problems. They're no longer rocket science. Companies like Grand Central Communications are already stepping up to provide reasonable ad-hoc solutions. But pulling together all the players in an industry and coming up with a common semantic model for real-world business processes, now that's a real challenge. [Doug Kaye: Web Services Strategies] |
|
Coursey on Palladium [Slashdot: News for nerds, stuff that matters] Man, is David Coursey lame. Weak reporting, worse forecasting, and now this thing which is just an excuse for getting scooped by Stephen Levy. Sorry, just had to get that off my chest. 10:52:01 AM
|
|
North American companies are adopting web services at a faster rate than anticipated, and companies that hold back on this cutting-edge technology risk being bypassed by more nimble competitors, according to a new research report from The FactPoint Group and Outsource Research Consulting. [Source: Brent Sleeper] A survey conducted by Evans Data suggests 98% of IT managers plan to develop web services-enabled applications within next two years and 75% are already incorporating web services. [Source: WebServices.org via Julian Bond] [Doug Kaye: Web Services Strategies] 7:52:17 AM
|
Last update: 9/29/2003; 6:52:23 PM .
