RE: draft-cohen-http-ext-postal-00.txt

From: David W. Morris (dwm@xpasc.com)
Date: Tue, Feb 24 1998


Date: Tue, 24 Feb 1998 13:40:58 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: Josh Cohen <joshco@microsoft.com>
cc: koen@win.tue.nl, ietf-http-ext@w3.org, rdebry@us.ibm.com
Message-ID: <Pine.GSO.3.96.980224132527.8945F-100000@shell1.aimnet.com>
Subject: RE: draft-cohen-http-ext-postal-00.txt



On Mon, 23 Feb 1998, Josh Cohen wrote:

> > -----Original Message-----
> > From: koen@win.tue.nl [mailto:koen@win.tue.nl]
> > Sent: Monday, February 23, 1998 9:31 AM
> > [...] 
> If this was 1 year from now and all http based applications
> were firmly in using POST, I would be more willing to 'taint'

The cat is FIRMLY out of the bag ... at this stage I find it a waste
of effort to preclude a new 'formal' use of HTTP from using POST when
the same kind of function is being built around the world every day
sending the same kinds of data using POST.

> > I could not disagree more.  I feel that there are many cases in which
> > it would be quite legitimate for the IETF to decide that, for a
> > certain protocol, the default mode should be that `the average
> > liberally configured firewall' accepts the protocol.
> > 
> [.. snip ..]
> I disagree, however, I can accept that this is an issue
> which experts can disagree on.
> Folks who find firewalls an unwelcome restriction on communications
> will likely feel that the protocol designers can rightfully choose
> which new functionality is 'safe' to pass through firewalls without
> operator intervention.

Beyond being able to define how a firewall might filter a particular
kind of traffic, I think it would be a waste of time for the IETF
to stipulate the default behavior of an HTTP application within
a firewall. The providers of firewall software will provide the
default behaviors they feel appropriate based on their expertise as
firewall software engineers. Most experts I've read favor deny all
-- allow selected ... the actual software I've used and studied
can work in either the deny/allow mode or allow-all/deny-selected
mode depending on the local security policy. 

As Koen has already pointed out, any organization looking at the
content of the HTTP data stream has much more to worry about and at
a much higher level of detail than the HTTP method will discern.

Filtering IPP globally by method won't be useful for the vast 
majority ... mostly because all the other similar ways for data
to escape using POST/File-upload, FTP, etc. which filters have to
be written for anyway. Of much more interest will be the host
receiving the request, etc.

Dave Morris