W3C home > Mailing lists > Public > xml-dist-app@w3.org > July 2001

Re: A tale of two bindings

From: Rich Salz <rsalz@zolera.com>
Date: Fri, 27 Jul 2001 21:21:40 -0400
Message-ID: <3B6213A4.DAA93C5F@zolera.com>
To: mark.baker@sympatico.ca
CC: xml-dist-app@w3.org
> > > Without getting into the details, if I only allow GET invocations
> > > to my site, and don't install any software that does "silly GET
> > > tricks", I'm secure.

And if I don't install a SOAP processor on my web server, I'm secure.

> > "make it obvious to firewalls, etc." isn't on that list [of requirements].

> Yup ...

I am glad you agree.  Will you now stop saying it's something we should

> R612 ...
> appears to exclude the possibility of the WG defining a normative
> binding used for tunneling, as tunneling does not respect HTTP semantics.

I disagree.  HTTP makes no comment on the data format in a POST.  And
what HTTP semantics are being violated by a tunnel telling HTTP "don't
worry, be happy, 200" ?

If we change SOAP 1.1 to say faults came back as 200 and SOAPAction is
deprecated, then we meet R612.

I don't think I have anything new to contribute to this dicussion, so I
expect this to be my last post on this topic.

Zolera Systems, Securing web services (XML, SOAP, Signatures,
Received on Friday, 27 July 2001 21:20:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 22:01:14 UTC