- From: Rich Salz <rsalz@zolera.com>
- Date: Wed, 25 Jul 2001 13:38:27 -0400
- To: mark.baker@sympatico.ca
- CC: xml-dist-app@w3.org
> I answered this one already. HTTP response code 401 is very > specific to HTTP authentication and does not include SOAP > signatures. okay, then 403. :) > But you always get a 200 in the binding that I believe you're > promoting. Isn't that a bit inefficient? Perhaps, trivially so. But it's a worthwhile tradeoff in terms of code complexity, etc. > How else would you suggest we allow firewall administrators to disallow > SOAP invocations over their firewalls? We should tell them: that's not the way to make things secure. > Not at all. Using a new URI scheme does not preclude HTTP from > being the protocol used to access it. Just as the HTTPS URI > scheme uses HTTP, so can the SOAP one. You're mixing theory and reality. :) If I have to teach the HTTP infrastructure about a new URI scheme then the benefit of tunneling is lost. I just did "telnet www.apache.org 80" and said "GET foo:/ HTTP/1.0" and got back: Invalid URI in request GET foo:/ HTTP/1.0 -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com
Received on Wednesday, 25 July 2001 13:38:24 UTC