Mark Baker wrote: >On 1/10/06, David Hull <dmh@tibco.com> wrote: > > >> One small clarification. The sentence "The only problem appears to be that >>the resulting SOAP 'request' and 'response' messages aren't correlated in >>the usual manner." may seem to state that the usual rules of HTTP >>request-response are not in effect, which was not my intent and is >>definitely not what the rest of the piece is saying. It would probably have >>been better to say something more like "The only problem appears to be that >>the resulting SOAP request and response messages can also be interpreted as >>part of a message flow completely distinct from the HTTP request-response >>flow." >> >> > >Thanks for the clarification, David, I agree that the replacement text >describes a less serious problem than the original text. It's still a >problem though (as you note) from a transfer binding POV, > I believe I said, "This problem, if it is a problem at all, is of no concern to anything that just looks at HTTP." >and it does >still impact HTTP intermediaries, in particular in this case, >firewalls, which require knowing what's a request and what's a >response to do their job properly. Consider that if SOAP requests >could arrive as HTTP responses (PAOS anyone?), that this would be a >serious security problem. > > At the risk of sounding repetitious, what do you see as the security (or other) problem? >Mark. > > >Received on Wednesday, 11 January 2006 19:02:21 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:21 GMT