W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2001

Fwd: Re: SOAP/XML Protocol and filtering, etc.

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 07 May 2001 15:57:25 -0700 (PDT)
To: xml-dist-app@w3.org
Message-ID: <989276245.3af72855d3efa@mail.mnot.net>

Carson is the admin of the firewalls list; he gave me permission to forward.



----- Forwarded message from Carson <carson@taltos.org> -----
Date: Mon,  7 May 2001 15:55:05 -0700 (PDT)
From: Carson <carson@taltos.org>
Subject: Re: SOAP/XML Protocol and filtering, etc.
To: Mark Nottingham <mnot@akamai.com>

The initial response to your query on the firewalls mailing list may have 
already told you this, but just in case. Firewall admins do _not_ like 
SOAP, because:
- The usual anti-microsoft jihad
- It overloads an existing protocol with high-risk capabilities (arguably 
already present with CGI)
- The WG has yet to publish any security considerations, much less any 
controls

Coming to us at this point asking about a parsing header, before you've 
gotten anyone to agree on integrity, privacy, authentication, and 
authorization is putting the cart before the horse. That being said, I am 
certainly in favor of anything that enables an automated enforcement 
mechanism to make more intelligent decisions. My life would be made easiest 
if the soapaction header were forced to match the xml namespace. I'd still 
have to parse the xml if I wanted to do data validation, but if I trusted 
the client and server implementations, I'd just have to extraxt the header.
If you'd like a more constructive response in future, I suggest coming 
clean with the security status of SOAP in your message. Its possible that 
things are happening inside the WG, but nothing being published is a bad 
sign.

-- 
Carson

Return-Path: <mnot@akamai.com>
Delivered-To: akamai@mnot.net
Received: from athyra (localhost [127.0.0.1])
	by taltos.taltos.org (Postfix) with ESMTP id 38AB828787
	for <mnot@akamai.com>; Mon,  7 May 2001 14:22:07 -0700 (PDT)
Date: Mon, 07 May 2001 14:23:42 -0700
From: Carson Gaspar <carson@taltos.org>
Old-Subject: Re: SOAP/XML Protocol and filtering, etc.
Message-ID: <729077484.989245419@athyra>
In-Reply-To: <20010506225202.F1085@akamai.com>
References:  <20010506225202.F1085@akamai.com>
X-Mailer: Mulberry/2.1.0a5 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: mnot@akamai.com
Resent-Date: Mon, 07 May 2001 15:55:05 -0700 (PDT)
Resent-From: mnot@akamai.com
Resent-To: mnot@mnot.net
Resent-Message-ID: <989276105.3af727c968586@mail.mnot.net>
X-Originating-IP: 63.116.109.10


The initial response to your query on the firewalls mailing list may have 
already told you this, but just in case. Firewall admins do _not_ like 
SOAP, because:

- The usual anti-microsoft jihad
- It overloads an existing protocol with high-risk capabilities (arguably 
already present with CGI)
- The WG has yet to publish any security considerations, much less any 
controls

Coming to us at this point asking about a parsing header, before you've 
gotten anyone to agree on integrity, privacy, authentication, and 
authorization is putting the cart before the horse. That being said, I am 
certainly in favor of anything that enables an automated enforcement 
mechanism to make more intelligent decisions. My life would be made easiest 
if the soapaction header were forced to match the xml namespace. I'd still 
have to parse the xml if I wanted to do data validation, but if I trusted 
the client and server implementations, I'd just have to extraxt the header.

If you'd like a more constructive response in future, I suggest coming 
clean with the security status of SOAP in your message. Its possible that 
things are happening inside the WG, but nothing being published is a bad 
sign.

-- 
Carson


----- End forwarded message -----
Received on Monday, 7 May 2001 18:57:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:01 GMT