W3C home > Mailing lists > Public > xml-dist-app@w3.org > August 2001

Re: Proposal for a protocol binding model

From: christopher ferris <chris.ferris@east.sun.com>
Date: Wed, 22 Aug 2001 09:58:36 -0400
Message-ID: <3B83BA8C.D99D1DAE@east.Sun.COM>
To: Mark Nottingham <mnot@mnot.net>
CC: Mark Baker <distobj@acm.org>, Henrik Frystyk Nielsen <henrikn@microsoft.com>, xml-dist-app@w3.org
+1

Mark Nottingham wrote:
> 
> On Tue, Aug 21, 2001 at 02:21:31PM -0400, Mark Baker wrote:
> 
> > > (tho I don't really see the utility in this).
> >
> > It's primarily for security reasons.  A firewall admin should be
> > able to identify (for blocking, or further filtering) SOAP based
> > protocols being tunneled over application protocols, while permitting
> > uses of SOAP that use the application protocols as they were designed
> > to be used.
> 
> This is a horrible security mechanism; why in the world would you
> trust a label that says "no bomb is in this suitcase?"
> 
> The predominant feedback from sysadmins and IETF-heads that I see
> (and happen to agree with) is 'better not label it at all, lest
> someone thinks the label actually means something.' This is why
> SOAPAction should die IMHO, and any content-type that tries to go
> beyond 'this is a SOAP message' should as well; the content type
> system is engineered for convenience, not application of security
> policy.
> 
> --
> Mark Nottingham
> http://www.mnot.net/
>
Received on Wednesday, 22 August 2001 09:58:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:03 GMT