Re: Proposal for a protocol binding model

> This is a horrible security mechanism; why in the world would you
> trust a label that says "no bomb is in this suitcase?"

A better analogy, I believe, would be a grenade.  As long as the
pin isn't pulled, you're safe.  That's what I'm talking about
here; not just willy nilly pulling pins out of anything that
happens to find its way across your firewall.

While the mechanism I'm suggesting is a label ("I'm a grenade" in
the case of a tunneled protocol), it is primarily a dispatch
mechanism.  The only way pins will get pulled is if the grenade
gets dispatched to a pin-pulling piece of software (so to speak).

I believe it would be a good thing to ask that an incoming message
explicitly request the privilege of being able to pull pins, and to
allow firewall admins to answer "no".

> The predominant feedback from sysadmins and IETF-heads that I see
> (and happen to agree with) is 'better not label it at all, lest
> someone thinks the label actually means something.' This is why
> SOAPAction should die IMHO, and any content-type that tries to go
> beyond 'this is a SOAP message' should as well; the content type
> system is engineered for convenience, not application of security
> policy.

Perhaps, though as mentioned, dispatch does take place on the label
and Content-Type is used for dispatch (just not exclusively).  But
I don't much care what the solution looks like, as long as there is

What's the media type for a protocol anyhow? 8-)


Received on Wednesday, 22 August 2001 03:13:11 UTC