> I answered this one already. HTTP response code 401 is very > specific to HTTP authentication and does not include SOAP > signatures. okay, then 403. :) > But you always get a 200 in the binding that I believe you're > promoting. Isn't that a bit inefficient? Perhaps, trivially so. But it's a worthwhile tradeoff in terms of code complexity, etc. > How else would you suggest we allow firewall administrators to disallow > SOAP invocations over their firewalls? We should tell them: that's not the way to make things secure. > Not at all. Using a new URI scheme does not preclude HTTP from > being the protocol used to access it. Just as the HTTPS URI > scheme uses HTTP, so can the SOAP one. You're mixing theory and reality. :) If I have to teach the HTTP infrastructure about a new URI scheme then the benefit of tunneling is lost. I just did "telnet www.apache.org 80" and said "GET foo:/ HTTP/1.0" and got back: Invalid URI in request GET foo:/ HTTP/1.0 -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.comReceived on Wednesday, 25 July 2001 13:38:24 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 12 October 2006 00:08:41 GMT