W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2001

RE: SOAPAction thoughts from elsewhere

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 07 May 2001 14:49:47 -0700 (PDT)
To: Noah_Mendelsohn@lotus.com
Message-ID: <989272187.3af7187bc5e38@mail.mnot.net>
Cc: Henrik Frystyk Nielsen <henrikn@microsoft.com>, marting@develop.com, mnot@mnot.net, xml-dist-app@w3.org


I see the distinction as that between stopping malicious users (which SOAPAction
can't do) and the application of policy at the border of the administrative
domain (which SOAPAction can help).

Firewall administrators are untrusting by nature; they won't depend on
downstream SOAP processors to do any checking, on the assumption that they're
malicious or poorly implemented.


Quoting Noah_Mendelsohn@lotus.com:

> Henrik Nielsen writes:
> 
> >> It is disappointing that people read into 
> >> SOAPAction any security mechanism
> 
> I thought it was very clearly intended as, in part, a security hint, and
> 
> in that sense a part of a security mechanism.  My understanding was that
> 
> the intended operation would be that security filters would reject
> traffic 
> with untrusted SOAPAction headers, but that final checking would be done
> 
> by the actual downstream SOAP processor which has access to the more 
> reliable (as opposed to hint) information within the envelope.  Are we 
> saying the same thing?
> 
> ------------------------------------------------------------------------
> Noah Mendelsohn                                    Voice:
> 1-617-693-4036
> Lotus Development Corp.                            Fax: 1-617-693-8676
> One Rogers Street
> Cambridge, MA 02142
> ------------------------------------------------------------------------
> 
> 
> 
> 
Received on Monday, 7 May 2001 17:50:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:01 GMT