- From: Mark Baker <distobj@acm.org>
- Date: Wed, 22 Aug 2001 03:13:04 -0400 (EDT)
- To: mnot@mnot.net (Mark Nottingham)
- Cc: henrikn@microsoft.com (Henrik Frystyk Nielsen), xml-dist-app@w3.org
> This is a horrible security mechanism; why in the world would you
> trust a label that says "no bomb is in this suitcase?"
A better analogy, I believe, would be a grenade. As long as the
pin isn't pulled, you're safe. That's what I'm talking about
here; not just willy nilly pulling pins out of anything that
happens to find its way across your firewall.
While the mechanism I'm suggesting is a label ("I'm a grenade" in
the case of a tunneled protocol), it is primarily a dispatch
mechanism. The only way pins will get pulled is if the grenade
gets dispatched to a pin-pulling piece of software (so to speak).
I believe it would be a good thing to ask that an incoming message
explicitly request the privilege of being able to pull pins, and to
allow firewall admins to answer "no".
> The predominant feedback from sysadmins and IETF-heads that I see
> (and happen to agree with) is 'better not label it at all, lest
> someone thinks the label actually means something.' This is why
> SOAPAction should die IMHO, and any content-type that tries to go
> beyond 'this is a SOAP message' should as well; the content type
> system is engineered for convenience, not application of security
> policy.
Perhaps, though as mentioned, dispatch does take place on the label
and Content-Type is used for dispatch (just not exclusively). But
I don't much care what the solution looks like, as long as there is
one.
What's the media type for a protocol anyhow? 8-)
MB
Received on Wednesday, 22 August 2001 03:13:11 UTC