W3C home > Mailing lists > Public > xml-dist-app@w3.org > July 2001

Re: A tale of two bindings

From: Rich Salz <rsalz@zolera.com>
Date: Wed, 25 Jul 2001 13:38:27 -0400
Message-ID: <3B5F0413.E0353063@zolera.com>
To: mark.baker@sympatico.ca
CC: xml-dist-app@w3.org
> I answered this one already.  HTTP response code 401 is very
> specific to HTTP authentication and does not include SOAP
> signatures.

okay, then 403. :)

> But you always get a 200 in the binding that I believe you're
> promoting.  Isn't that a bit inefficient?

Perhaps, trivially so.  But it's a worthwhile tradeoff in terms of code
complexity, etc.

> How else would you suggest we allow firewall administrators to disallow
> SOAP invocations over their firewalls?

We should tell them: that's not the way to make things secure.

> Not at all.  Using a new URI scheme does not preclude HTTP from
> being the protocol used to access it.  Just as the HTTPS URI
> scheme uses HTTP, so can the SOAP one.

You're mixing theory and reality. :)  If I have to teach the HTTP
infrastructure about a new URI scheme then the benefit of tunneling is
lost.

I just did "telnet www.apache.org 80" and said "GET foo:/ HTTP/1.0" and
got back:
	Invalid URI in request GET foo:/ HTTP/1.0


-- 
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
Received on Wednesday, 25 July 2001 13:38:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:03 GMT