W3C home > Mailing lists > Public > xml-dist-app@w3.org > July 2001

Re: A tale of two bindings

From: Mark Baker <mbaker@markbaker.ca>
Date: Tue, 24 Jul 2001 14:48:37 -0400 (EDT)
Message-Id: <200107241848.OAA04073@markbaker.ca>
To: rsalz@zolera.com (Rich Salz)
Cc: xml-dist-app@w3.org
> The list of differences is completely ridiculous.  I can write
> tunnelling-oriented SOAP right now, and the only difference between what
> I use and your "application semantic" binding is whether faults come
> back using 500 or 200.

And the use of port 80, at a minimum.  There could very well have
been other major differences, as my tunnel-binding wasn't completely
specified as you may have noticed.

A binding is not a trivial piece of design work.  I'm quite sure one can
be quickly thrown together, but when done without a set of requirements,
could potentially do major damage.

> > (**) A tunnel binding only requires a single bit of SOAP-identifying
> > information on an inbound message in order to unambigously identify
> > to a receiving implementation that a tunnel needs to be established.
> 
> Not at all.  It could be completely up to the local server
> configuration.  I could write all my web services as CGI scripts and
> nobody would know.

You mean that the use of a tunnel could be hidden from intermediaries?
Ouch, I'm sure firewall admins would just love the W3C for that one.
While we can't stop anybody from tunneling, we should certainly aim
to provide a binding that makes it cheap and easy for tunneling to
be detected.  To not do so would be to commit a major security
faux pas.

MB
Received on Tuesday, 24 July 2001 18:59:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:03 GMT