W3C home > Mailing lists > Public > www-tag@w3.org > April 2002

Re: RFC 3205 background (HTTPSubstrate-16)

From: Mark Baker <distobj@acm.org>
Date: Fri, 5 Apr 2002 11:31:06 -0500
To: Keith Moore <moore@cs.utk.edu>
Cc: Mark Nottingham <mnot@mnot.net>, www-tag@w3.org
Message-ID: <20020405113106.G8199@www.markbaker.ca>
On Fri, Apr 05, 2002 at 11:07:06AM -0500, Keith Moore wrote:
> I don't think we should treat port 80 as a battleground.
> Nobody is claiming that every single application (in the sense 
> that every URI is potentially a different application) needs a 
> new port, only that there are disadvantages to running multiple
> applications over the same port if those applications differ in 
> ways that are significant to a network administrator.  

I'm in full agreement, but parts of 3205 suggest that the W3C and
IETF/IESG may not be in agreement about what these differences are.

From the response that Henrik, Randy, and I put together[1] (which, for
everybody's information, was *not* an official response from the XML
Protocol WG);

] Addressing these in bullet item order, the definitions of "traditional
] HTTP service" and  "new service" are not clear.  It is very difficult to
] characterize HTTP traffic in a meaningful way since every URI is
] potentially a "new service" in some fashion. Using the dataset referenced
] doesn't follow the spirit of the World Wide Web and resources of many
] types can co-exist in similar URI namespaces. 
] Using the codebase or server process model to distinguish whether a "new
] service" is being offered is equally inadequate since it is common
] practice to use a variety of provisioning and coding models to implement
] services. Utilization of dedicated ports to filter services on the Web
] would not address all security issues and would be expensive in terms of
] number of ports in use and enterprise support requirements.  Significant
] reconfiguration of enterprise infrastructure and additional implementation
] and support costs may be avoidable if a layered approach can be used to
] meet security, filtering and support requirements.  Furthermore, it is not
] clear how allocating new port numbers is consistent with the desire for
] limiting use of new port numbers as has been seen in the case of SSL.
] While we do not support the specification of bindings to HTTP for the
] purpose of circumventing firewall policies, if a protocol uses the
] documented application semantics and extensibility features of HTTP 1.1,
] it should not be discouraged from using port 80.

So while I'm sure that we (IETF/IESG, W3C) share a common goal of
ensuring that security is upheld, it's less clear to me that we agree
about what that means in practice.

Also, I for one would be interested in your response to our comments, if
you could find them.  I don't know if the TAG would or not.


 [1] http://lists.w3.org/Archives/Public/xml-dist-app/2000Dec/0061.html

Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.      mbaker@planetfred.com
http://www.markbaker.ca   http://www.planetfred.com
Received on Friday, 5 April 2002 11:25:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:55:51 UTC