The foibles of XML security
Posted on February 22, 2006
Filed Under /dev/null/ | 352 views |
Between inadvertently lighting expensive bits of hardware on fire ( “Remember, the devices won’t work anymore once the magic smoke gets out” ) and installing OS X development tools I have a lot of time these days to read the various screeds, rants and raves on the web. This one struck me as particularly poignant and amusing, mainly because in years of using XML I’ve never actually understood why anyone would want to secure it. The stuff it contains, sure thing boss, but the XML itself? C’mon….
Why XML Security is Broken by Peter Gutmann.
…
Unfortunately, this approach was heresy to the XML security folks because,
well, PGP and S/MIME aren’t XML. So they had to reinvent the wheel in XML.
This lead to a second problem: Since there’s only one logical way to structure
secured data, it’d be obvious to anyone that all they’d done was reivent the
wheel in XML. To avoid this problem as well, they reinvented the wheel in
XML, but made it square to avoid accusations that they’d just reinvented the
wheel.
…
Remings me of the classic Jamie Zawinski quip: “Some people, when confronted with a problem, think “I know, I’ll use regular expressions.” Now they have two problems.”.