- From: Rich Salz <rsalz@zolera.com>
- Date: Fri, 27 Jul 2001 21:21:40 -0400
- To: mark.baker@sympatico.ca
- CC: xml-dist-app@w3.org
> > > Without getting into the details, if I only allow GET invocations > > > to my site, and don't install any software that does "silly GET > > > tricks", I'm secure. And if I don't install a SOAP processor on my web server, I'm secure. > > "make it obvious to firewalls, etc." isn't on that list [of requirements]. > Yup ... I am glad you agree. Will you now stop saying it's something we should do? > > R612 ... > appears to exclude the possibility of the WG defining a normative > binding used for tunneling, as tunneling does not respect HTTP semantics. I disagree. HTTP makes no comment on the data format in a POST. And what HTTP semantics are being violated by a tunnel telling HTTP "don't worry, be happy, 200" ? If we change SOAP 1.1 to say faults came back as 200 and SOAPAction is deprecated, then we meet R612. I don't think I have anything new to contribute to this dicussion, so I expect this to be my last post on this topic. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com
Received on Friday, 27 July 2001 21:20:02 UTC