- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 07 May 2001 15:57:25 -0700 (PDT)
- To: xml-dist-app@w3.org
Carson is the admin of the firewalls list; he gave me permission to forward. ----- Forwarded message from Carson <carson@taltos.org> ----- Date: Mon, 7 May 2001 15:55:05 -0700 (PDT) From: Carson <carson@taltos.org> Subject: Re: SOAP/XML Protocol and filtering, etc. To: Mark Nottingham <mnot@akamai.com> The initial response to your query on the firewalls mailing list may have already told you this, but just in case. Firewall admins do _not_ like SOAP, because: - The usual anti-microsoft jihad - It overloads an existing protocol with high-risk capabilities (arguably already present with CGI) - The WG has yet to publish any security considerations, much less any controls Coming to us at this point asking about a parsing header, before you've gotten anyone to agree on integrity, privacy, authentication, and authorization is putting the cart before the horse. That being said, I am certainly in favor of anything that enables an automated enforcement mechanism to make more intelligent decisions. My life would be made easiest if the soapaction header were forced to match the xml namespace. I'd still have to parse the xml if I wanted to do data validation, but if I trusted the client and server implementations, I'd just have to extraxt the header. If you'd like a more constructive response in future, I suggest coming clean with the security status of SOAP in your message. Its possible that things are happening inside the WG, but nothing being published is a bad sign. -- Carson Return-Path: <mnot@akamai.com> Delivered-To: akamai@mnot.net Received: from athyra (localhost [127.0.0.1]) by taltos.taltos.org (Postfix) with ESMTP id 38AB828787 for <mnot@akamai.com>; Mon, 7 May 2001 14:22:07 -0700 (PDT) Date: Mon, 07 May 2001 14:23:42 -0700 From: Carson Gaspar <carson@taltos.org> Old-Subject: Re: SOAP/XML Protocol and filtering, etc. Message-ID: <729077484.989245419@athyra> In-Reply-To: <20010506225202.F1085@akamai.com> References: <20010506225202.F1085@akamai.com> X-Mailer: Mulberry/2.1.0a5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: mnot@akamai.com Resent-Date: Mon, 07 May 2001 15:55:05 -0700 (PDT) Resent-From: mnot@akamai.com Resent-To: mnot@mnot.net Resent-Message-ID: <989276105.3af727c968586@mail.mnot.net> X-Originating-IP: 63.116.109.10 The initial response to your query on the firewalls mailing list may have already told you this, but just in case. Firewall admins do _not_ like SOAP, because: - The usual anti-microsoft jihad - It overloads an existing protocol with high-risk capabilities (arguably already present with CGI) - The WG has yet to publish any security considerations, much less any controls Coming to us at this point asking about a parsing header, before you've gotten anyone to agree on integrity, privacy, authentication, and authorization is putting the cart before the horse. That being said, I am certainly in favor of anything that enables an automated enforcement mechanism to make more intelligent decisions. My life would be made easiest if the soapaction header were forced to match the xml namespace. I'd still have to parse the xml if I wanted to do data validation, but if I trusted the client and server implementations, I'd just have to extraxt the header. If you'd like a more constructive response in future, I suggest coming clean with the security status of SOAP in your message. Its possible that things are happening inside the WG, but nothing being published is a bad sign. -- Carson ----- End forwarded message -----
Received on Monday, 7 May 2001 18:57:34 UTC