Stateless comms in the WSA

On Tue, Aug 06, 2002 at 01:44:51PM -0400, Champion, Mike wrote:
> This is a very useful thread.  Picking up on Hal's point, I'd like to see
> specific suggestions for what the WSA document should say about this issue.
> 
> 
> - What section should it be in?  Some sort of "General principles of using
> XML in web services payloads maybe?"  Then we can talk about SOAP's
> philosophy about DTDs and PIs, this general point about potential security
> threats from the actions that schema processors could perform?  We might
> also mention in this section that it is not possible to use W3C DTDs or
> Schemas to fully validate an XML message against the SOAP 1.1 or 1.2 specs
> because there is no way to disallow processing instructions, Doctype
> references or DTD internal subsets via any current schema language.
> 
> - What is the implication for the architecture itself?  I'm not sure ...does
> anyone think that this needs to be in the domain of any future working
> group?  

Oh yes, most definitely.  Stateless communication is a key architectural
constraint of the Web, and I've also heard many Web services people talk
about its value too.

> - What's the implication for Best Practice?  My personal, humble opinion is
> something like "One MAY use W3C XML Schemas for validating the payload   of
> a web services message, but one SHOULD NOT rely on anything in the PSVI that
> is not in the raw InfoSet representation."  

I'd say "MUST NOT", since to do so creates interoperability problems
(or if we're giving direction to spec authors, 'SHOULD use "MUST
NOT"' 8-).  Also, we should try to generalize it and use the PSVI,
external entities, etc.  as examples.  There are other ways of doing the
wrong thing here, and they're not all obvious.

MB
-- 
Mark Baker, CTO, Idokorro Mobile (formerly Planetfred)
Ottawa, Ontario, CANADA.               distobj@acm.org
http://www.markbaker.ca        http://www.idokorro.com

Received on Tuesday, 6 August 2002 15:58:49 UTC