- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 21 Aug 2001 23:15:07 -0700
- To: Mark Baker <distobj@acm.org>
- Cc: Henrik Frystyk Nielsen <henrikn@microsoft.com>, xml-dist-app@w3.org
On Tue, Aug 21, 2001 at 02:21:31PM -0400, Mark Baker wrote: > > (tho I don't really see the utility in this). > > It's primarily for security reasons. A firewall admin should be > able to identify (for blocking, or further filtering) SOAP based > protocols being tunneled over application protocols, while permitting > uses of SOAP that use the application protocols as they were designed > to be used. This is a horrible security mechanism; why in the world would you trust a label that says "no bomb is in this suitcase?" The predominant feedback from sysadmins and IETF-heads that I see (and happen to agree with) is 'better not label it at all, lest someone thinks the label actually means something.' This is why SOAPAction should die IMHO, and any content-type that tries to go beyond 'this is a SOAP message' should as well; the content type system is engineered for convenience, not application of security policy. -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 22 August 2001 02:15:09 UTC