W3C home > Mailing lists > Public > xml-dist-app@w3.org > August 2001

Re: Proposal for a protocol binding model

From: Mark Baker <distobj@acm.org>
Date: Wed, 22 Aug 2001 03:13:04 -0400 (EDT)
Message-Id: <200108220713.DAA14873@markbaker.ca>
To: mnot@mnot.net (Mark Nottingham)
Cc: henrikn@microsoft.com (Henrik Frystyk Nielsen), xml-dist-app@w3.org
> This is a horrible security mechanism; why in the world would you
> trust a label that says "no bomb is in this suitcase?"

A better analogy, I believe, would be a grenade.  As long as the
pin isn't pulled, you're safe.  That's what I'm talking about
here; not just willy nilly pulling pins out of anything that
happens to find its way across your firewall.

While the mechanism I'm suggesting is a label ("I'm a grenade" in
the case of a tunneled protocol), it is primarily a dispatch
mechanism.  The only way pins will get pulled is if the grenade
gets dispatched to a pin-pulling piece of software (so to speak).

I believe it would be a good thing to ask that an incoming message
explicitly request the privilege of being able to pull pins, and to
allow firewall admins to answer "no".

> The predominant feedback from sysadmins and IETF-heads that I see
> (and happen to agree with) is 'better not label it at all, lest
> someone thinks the label actually means something.' This is why
> SOAPAction should die IMHO, and any content-type that tries to go
> beyond 'this is a SOAP message' should as well; the content type
> system is engineered for convenience, not application of security
> policy.

Perhaps, though as mentioned, dispatch does take place on the label
and Content-Type is used for dispatch (just not exclusively).  But
I don't much care what the solution looks like, as long as there is
one.

What's the media type for a protocol anyhow? 8-)

MB
Received on Wednesday, 22 August 2001 03:13:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:03 GMT