- From: Mark Baker <mbaker@markbaker.ca>
- Date: Tue, 24 Jul 2001 14:48:37 -0400 (EDT)
- To: rsalz@zolera.com (Rich Salz)
- Cc: xml-dist-app@w3.org
> The list of differences is completely ridiculous. I can write > tunnelling-oriented SOAP right now, and the only difference between what > I use and your "application semantic" binding is whether faults come > back using 500 or 200. And the use of port 80, at a minimum. There could very well have been other major differences, as my tunnel-binding wasn't completely specified as you may have noticed. A binding is not a trivial piece of design work. I'm quite sure one can be quickly thrown together, but when done without a set of requirements, could potentially do major damage. > > (**) A tunnel binding only requires a single bit of SOAP-identifying > > information on an inbound message in order to unambigously identify > > to a receiving implementation that a tunnel needs to be established. > > Not at all. It could be completely up to the local server > configuration. I could write all my web services as CGI scripts and > nobody would know. You mean that the use of a tunnel could be hidden from intermediaries? Ouch, I'm sure firewall admins would just love the W3C for that one. While we can't stop anybody from tunneling, we should certainly aim to provide a binding that makes it cheap and easy for tunneling to be detected. To not do so would be to commit a major security faux pas. MB
Received on Tuesday, 24 July 2001 18:59:46 UTC