- From: christopher ferris <chris.ferris@east.sun.com>
- Date: Wed, 22 Aug 2001 09:58:36 -0400
- To: Mark Nottingham <mnot@mnot.net>
- CC: Mark Baker <distobj@acm.org>, Henrik Frystyk Nielsen <henrikn@microsoft.com>, xml-dist-app@w3.org
+1 Mark Nottingham wrote: > > On Tue, Aug 21, 2001 at 02:21:31PM -0400, Mark Baker wrote: > > > > (tho I don't really see the utility in this). > > > > It's primarily for security reasons. A firewall admin should be > > able to identify (for blocking, or further filtering) SOAP based > > protocols being tunneled over application protocols, while permitting > > uses of SOAP that use the application protocols as they were designed > > to be used. > > This is a horrible security mechanism; why in the world would you > trust a label that says "no bomb is in this suitcase?" > > The predominant feedback from sysadmins and IETF-heads that I see > (and happen to agree with) is 'better not label it at all, lest > someone thinks the label actually means something.' This is why > SOAPAction should die IMHO, and any content-type that tries to go > beyond 'this is a SOAP message' should as well; the content type > system is engineered for convenience, not application of security > policy. > > -- > Mark Nottingham > http://www.mnot.net/ >
Received on Wednesday, 22 August 2001 09:58:41 UTC