- From: Mark Baker <distobj@acm.org>
- Date: Fri, 5 Apr 2002 11:31:06 -0500
- To: Keith Moore <moore@cs.utk.edu>
- Cc: Mark Nottingham <mnot@mnot.net>, www-tag@w3.org
On Fri, Apr 05, 2002 at 11:07:06AM -0500, Keith Moore wrote: > I don't think we should treat port 80 as a battleground. > Nobody is claiming that every single application (in the sense > that every URI is potentially a different application) needs a > new port, only that there are disadvantages to running multiple > applications over the same port if those applications differ in > ways that are significant to a network administrator. I'm in full agreement, but parts of 3205 suggest that the W3C and IETF/IESG may not be in agreement about what these differences are. From the response that Henrik, Randy, and I put together[1] (which, for everybody's information, was *not* an official response from the XML Protocol WG); [...] ] Addressing these in bullet item order, the definitions of "traditional ] HTTP service" and "new service" are not clear. It is very difficult to ] characterize HTTP traffic in a meaningful way since every URI is ] potentially a "new service" in some fashion. Using the dataset referenced ] doesn't follow the spirit of the World Wide Web and resources of many ] types can co-exist in similar URI namespaces. ] Using the codebase or server process model to distinguish whether a "new ] service" is being offered is equally inadequate since it is common ] practice to use a variety of provisioning and coding models to implement ] services. Utilization of dedicated ports to filter services on the Web ] would not address all security issues and would be expensive in terms of ] number of ports in use and enterprise support requirements. Significant ] reconfiguration of enterprise infrastructure and additional implementation ] and support costs may be avoidable if a layered approach can be used to ] meet security, filtering and support requirements. Furthermore, it is not ] clear how allocating new port numbers is consistent with the desire for ] limiting use of new port numbers as has been seen in the case of SSL. ] While we do not support the specification of bindings to HTTP for the ] purpose of circumventing firewall policies, if a protocol uses the ] documented application semantics and extensibility features of HTTP 1.1, ] it should not be discouraged from using port 80. So while I'm sure that we (IETF/IESG, W3C) share a common goal of ensuring that security is upheld, it's less clear to me that we agree about what that means in practice. Also, I for one would be interested in your response to our comments, if you could find them. I don't know if the TAG would or not. Thanks. [1] http://lists.w3.org/Archives/Public/xml-dist-app/2000Dec/0061.html MB -- Mark Baker, Chief Science Officer, Planetfred, Inc. Ottawa, Ontario, CANADA. mbaker@planetfred.com http://www.markbaker.ca http://www.planetfred.com
Received on Friday, 5 April 2002 11:25:44 UTC