Re: RFC 3205 background (HTTPSubstrate-16)

On Fri, Apr 05, 2002 at 11:07:06AM -0500, Keith Moore wrote:
> I don't think we should treat port 80 as a battleground.
> Nobody is claiming that every single application (in the sense 
> that every URI is potentially a different application) needs a 
> new port, only that there are disadvantages to running multiple
> applications over the same port if those applications differ in 
> ways that are significant to a network administrator.  

I'm in full agreement, but parts of 3205 suggest that the W3C and
IETF/IESG may not be in agreement about what these differences are.

From the response that Henrik, Randy, and I put together[1] (which, for
everybody's information, was *not* an official response from the XML
Protocol WG);

] Addressing these in bullet item order, the definitions of "traditional
] HTTP service" and  "new service" are not clear.  It is very difficult to
] characterize HTTP traffic in a meaningful way since every URI is
] potentially a "new service" in some fashion. Using the dataset referenced
] doesn't follow the spirit of the World Wide Web and resources of many
] types can co-exist in similar URI namespaces. 
] Using the codebase or server process model to distinguish whether a "new
] service" is being offered is equally inadequate since it is common
] practice to use a variety of provisioning and coding models to implement
] services. Utilization of dedicated ports to filter services on the Web
] would not address all security issues and would be expensive in terms of
] number of ports in use and enterprise support requirements.  Significant
] reconfiguration of enterprise infrastructure and additional implementation
] and support costs may be avoidable if a layered approach can be used to
] meet security, filtering and support requirements.  Furthermore, it is not
] clear how allocating new port numbers is consistent with the desire for
] limiting use of new port numbers as has been seen in the case of SSL.
] While we do not support the specification of bindings to HTTP for the
] purpose of circumventing firewall policies, if a protocol uses the
] documented application semantics and extensibility features of HTTP 1.1,
] it should not be discouraged from using port 80.

So while I'm sure that we (IETF/IESG, W3C) share a common goal of
ensuring that security is upheld, it's less clear to me that we agree
about what that means in practice.

Also, I for one would be interested in your response to our comments, if
you could find them.  I don't know if the TAG would or not.



Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.

Received on Friday, 5 April 2002 11:25:44 UTC