W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2001

RE: SOAPAction thoughts from elsewhere

From: Henrik Frystyk Nielsen <henrikn@microsoft.com>
Date: Mon, 7 May 2001 14:13:45 -0700
Message-ID: <79107D208BA38C45A4E45F62673A434D0297CBE8@red-msg-07.redmond.corp.microsoft.com>
To: <Noah_Mendelsohn@lotus.com>
Cc: <marting@develop.com>, <mnot@mnot.net>, <xml-dist-app@w3.org>

Regarding the use as a hint, I think this is consistent with what you
suggest. What I tried to address was that some remarks in the mails that
Mark sent around read more into it than a hint and came to the
conclusion that as it can't be trusted (because it is a hint just like
content type etc) that it was not useful.

Henrik

>>> It is disappointing that people read into
>>> SOAPAction any security mechanism
>
>I thought it was very clearly intended as, in part, a security hint,
and 
>in that sense a part of a security mechanism.  My understanding was
that 
>the intended operation would be that security filters would reject
traffic 
>with untrusted SOAPAction headers, but that final checking would be
done 
>by the actual downstream SOAP processor which has access to the more 
>reliable (as opposed to hint) information within the envelope.  Are we 
>saying the same thing?
Received on Monday, 7 May 2001 18:31:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:01 GMT