Re: XML tag encryption?

["Marcus J. Ranum" <mjr () ranum com>]

Rama Kant wrote:
> <amex cc no>3744 342298 98000</amex cc no>
>
> Now which application developer would be so much out of his/her mind to embed such XML codes?

Hmm... Don't you work with programmers much?

I'm figuring that just about 95% of the software engineers out
there, if they were going to embed a credit card number would do
exactly that!! Maybe they'd use a syntax more like:
<ccno type=amex>3744 342298 98000</ccno>

C'mon. These kinds of things happen all the time. Someone tells
the programmer to store the CC# someplace and they use the most
sensible approach at the time. Later, some marketing guy says
"oh yeah, now we can send that over the INTERNET!" and the
programmer has already populated all the databases with the
<ccno> tag. Ooops. Tight deadline. Just ship it.

Joking aside, the solution we're talking about is just another
boundary data-processor. It could just as easily be an awk
script that strips out <ccno> tags, or a fancier script that
shoves them through pgp. The value of this "solution" if it
has any is in the integration it offers the customer. The
market will tell.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards