Some General Observations about Security

It isn't enough just to create or process XML documents; you have to exchange them with other applications. When those applications are under the control of other organizations, we've moved into the area of what is broadly called "electronic commerce." Since that's the primary focus of my consulting practice, I can't quite close this book without saying a bit about it. However, I won't say very much. Most of the end user target audience for this book, and the people who develop applications for them, aren't given very many choices. They do what large customers or government agencies require. I would like to help you understand why those organizations are telling you to do certain things and, if they do give you any options, to help you make those choices.

At the bottom line, all the choices we have to make about moving documents over the Internet depend on security. So, to set some perspective, here are a few observations and facts about security.

• It is easier for a store clerk, waitress, or someone who takes your catalog order by phone to steal your credit card number than it is for someone to pluck it off the Internet while in transit.

• It is easier for someone to grab your credit card number from your mailbox or your trash than it is to pluck it off the Internet while in transit. (How many of you use locked mailboxes and shred your trash?)

• It is easier for a hacker to break into a system where your credit information is stored than it is to pluck it off the Internet in transit.

• In over ten years of working with EDI, I've never heard of a fraudulent EDI transmission of business data ”no bogus invoices, no orders to be shipped to suspicious locations. Granted, it is harder to break into the third-party value-added networks used for EDI than it is to hack the Internet. However, without giving away any hints, it's not impossible .

• The most popular e-mail programs offer support for X.509 digital certificates that support encryption and digital signatures. With all the sensitive e- mails that I exchange and agreements that are confirmed by e-mail, only two of my regular correspondents ever use digital certificates for e-mail.

Are people overly paranoid about security? Probably so, but don't try using that as a defense when you're prosecuted for not securing the confidentiality of personal information about patients or students. And if you try telling that to the folks at Wal-Mart, they'll probably drop you from their vendor list.