I've spent a lot of time with WS-Security lately,
partly because of the bruhaha over its use in MsComService,
and partly because I'm digging more deeply into WSE 2.0. Like most of my friends (and
a penguin Gudge knows), I'm a
plumber. I like spending time thinking about how to program with XML messages (feeding my
reputed addition). But I realized last weekend that there are limits, even for
me. I realized that I want someone else to take care of security for me...
It's not that I'm not interested - I think it's a fascinating topic. But I have too
many other things going on to lose myself in it, and I don't trust myself to build
something secure if I have to worry about all the details of signing, encryption,
nonces, hashes, etc. myself. Hopefully a day will soon come when I can simply request
a secure channel to a distant service and sit back and relax, confident that someone
else has thought about the hard security problems for me.
Then I can spend more time thinking about what the bodies of my message look like
- the problem domain specific part that it's hard for other folks to help me with...