Web services security and XML pixie dust

It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up.

When I look at the proposed standards, though, I see a bunch of familiar stuff. Name/password authentication, Kerberos, access control lists, PKI certificates, signing, encryption. All this has been part of the web forever, though admittedly PKI and Kerberos haven't really gotten over the activation threshold.

I don't think its a bad idea to wrap XML around this stuff. But I'm not convinced that will solve the hard problem. What's hard is that security technologies are just a royal pain in the ass to deal with. I was sure, for example, that client certificates would be widespread by 1997 as a mode of authentication to websites, and as a single sign-on solution. Today I'm one of a handful of people who have ever bothered to acquire a client cert.

Are we just trying to XMLize Kerberos and PKI and ACLs because we hope the magic pixie dust of XML will make the pain go away?

Former URL: http://weblog.infoworld.com/udell/2002/07/02.html#a326