Re: Proposal for a protocol binding model

On Tue, Aug 21, 2001 at 02:21:31PM -0400, Mark Baker wrote:

> > (tho I don't really see the utility in this).
> It's primarily for security reasons.  A firewall admin should be
> able to identify (for blocking, or further filtering) SOAP based
> protocols being tunneled over application protocols, while permitting
> uses of SOAP that use the application protocols as they were designed
> to be used.

This is a horrible security mechanism; why in the world would you
trust a label that says "no bomb is in this suitcase?"

The predominant feedback from sysadmins and IETF-heads that I see
(and happen to agree with) is 'better not label it at all, lest
someone thinks the label actually means something.' This is why
SOAPAction should die IMHO, and any content-type that tries to go
beyond 'this is a SOAP message' should as well; the content type
system is engineered for convenience, not application of security

Mark Nottingham

Received on Wednesday, 22 August 2001 02:15:09 UTC