Liudvikas Bukys

IPSec VPNs for Extranets: Not what you want to wake up next to

The VPN Paradox:
For the past several years, vendors have touted VPNs as the natural solution for leveraging the lower cost Internet medium to support intranets, remote access, e-commerce, and extranets. While VPNs have made significant progress in replacing dial and leased lines for RAS and intranet connections, they have fallen short when it comes to Extranets. In general VPNs are ill suited to building multi-company extranets [see Jim Slaby, Giga Information Group] or any situation that extends across organizational boundaries or where there is unbalanced trust between end points.

VeriSign opens up Web services roadmap. CW360.com Feb 21 2002 12:30PM ET [Moreover – Computer security news]

CNET: .NET morphing over time ‘As Microsoft prepares to launch the first trials of .Net My Services this fall, key details of the plan are still “not figured out,” said Jim Allchin, Microsoft’s group vice president in charge of Windows and server software development. “I think we just got ahead of ourselves and didn’t get clear enough thinking,” he said, echoing similar concerns
voiced last August.’

Ephraim Schwartz details the man-in-the-middle attack that’s possible in the current iteration of 802.1x authentication: because of the way in which 802.1x pieces elements of security together, a man-in-the-middle attack is possible in which a hacker poses as an access point to a client and a client to an access point. William Arbaugh and his graduate student Arunesh Mishra at the University of Maryland have made their report available in PDF form. (If you don’t have PDF, use Adobe’s online PDF-to-HTML converter.)

[80211b News]

Apache XML Security 1.0.0 released. The Apache XML Project have released the first stable version of their XML Security project, implementing Canonical XML and XML Signature. [xmlhack]

Schneier worried about SOAP security. Bruce Schneier has written,
in the latest issue of CRYPTO-GRAM,
an analysis of the security of Microsoft’s products, touching on .NET and SOAP. [xmlhack]

Snoop Software Shreds Reality. Wired News Feb 11 2002 6:39AM ET

David Gelertner,­ the world-renowned computer scientist, Yale professor, author and art critic — says he has a prescription for companies to avoid Enron-Arthur Andersen-type scandals: better management of corporate e-mails, Web pages, calendar items and other electronic documents.

…
Gelertner has more than a passing interest in pushing a solution for corporate ills that center around “knowledge management,” as it’s known in IT circles. He’s the chief scientist for a startup,
Mirror Worlds Technologies, which makes such a system. Xerox, Autonomy and Lotus are some of the company’s knowledge management competitors.

[via Moreover – Tech latest]

More evidence that the tune is changing. No longer are we the unwashed masses yearning to be taught the true path to enlightenment by the C developers, now they’re pleading with us to help them work around limits in their crippled environments. Heh. Now don’t go overboard. But the self-deprecation is appreciated. One of our mottos is It’s Even Worse Than It Appears. We are all members of the Church of Murphy, whether we use static or dynamic environments.   [Scripting News]

MSDN: Don Box on the Importance of Being WSDL

Despite the years I spent trying to make SOAP a standard way for programs to communicate over the Internet; I find that raw SOAP and XML are at odds with all of these compilers I am now using. I am told that if you give me machine-readable contract definitions, my compiler can help me talk to your Web services. A lot.

If you don’t give me a machine-readable contract, then I am going to have to write one of these weird-looking WSDL files by hand, and that always makes me cranky. I understand that writing WSDL makes you cranky too, but I’ll bet if you wrote the WSDL once and put it on your Web site, everyone else would just use it, and no one would ever need to write that WSDL again. And if you wrote a ten-line WS-Inspection or DISCO file to go along with it, I could find out about all of your other services too.

I know that WSDL isn’t perfect. God knows I tried to make it better prior to publication. Luckily, the W3C just launched a WSDL working group and it looks like the community at large has the will to clean it up, just as SOAP was cleaned up once it got the attention of a large community of practitioners and experts. In fact, SOAPBuilders is running a WSDL bake-off in February that surely will yield some progress on this front.

I also know that writing WSDL for your script-based Web services is more work for you, but your suffering would benefit thousands or more developers anxious to use your stuff. And just think of the nice things they will say about you once you made their lives easier.

And not under their breath.

Miguel de Icaza: Mono and GNOME. The long reply. [Linux Today]

News.Com: Giants forging Web services consortium.

InfoWorld: IBM, Microsoft, BEA partner on Web services.

IN AN ATTEMPT to ensure consistency in the development of Web services, IBM, Microsoft, and BEA Systems on Thursday will announce a software group the purpose of which will be to promote existing and future standards as defined by the World Wide Web Consortium (W3C) and the Organization for the Advancement Of Structured Information Standards (OASIS).

According to those who are familiar with the charter of the new group, called the Web Service Interoperability Organization, it will campaign to better educate developers about how to build Web services as well as advocate the consistency of building block standards such as SOAP (Simple Object Access Protocol), UDDI (Universal Description, Discovery, and Integration), and the WSDL (Web Services Description Language).

And, perhaps more importantly, the group will be actively encouraging the consistency of future Web services standards to come that address fundamental capabilities such as transactions management systems, security, identification, and authorization, sources said.