W3C home > Mailing lists > Public > xml-dist-app@w3.org > August 2001

Re: Proposal for a protocol binding model

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 21 Aug 2001 23:15:07 -0700
To: Mark Baker <distobj@acm.org>
Cc: Henrik Frystyk Nielsen <henrikn@microsoft.com>, xml-dist-app@w3.org
Message-ID: <20010821231502.A1287@mnot.net>

On Tue, Aug 21, 2001 at 02:21:31PM -0400, Mark Baker wrote:

> > (tho I don't really see the utility in this).
> 
> It's primarily for security reasons.  A firewall admin should be
> able to identify (for blocking, or further filtering) SOAP based
> protocols being tunneled over application protocols, while permitting
> uses of SOAP that use the application protocols as they were designed
> to be used.

This is a horrible security mechanism; why in the world would you
trust a label that says "no bomb is in this suitcase?"

The predominant feedback from sysadmins and IETF-heads that I see
(and happen to agree with) is 'better not label it at all, lest
someone thinks the label actually means something.' This is why
SOAPAction should die IMHO, and any content-type that tries to go
beyond 'this is a SOAP message' should as well; the content type
system is engineered for convenience, not application of security
policy.

-- 
Mark Nottingham
http://www.mnot.net/
 
Received on Wednesday, 22 August 2001 02:15:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:03 GMT