- From: Mark Nottingham <mark.nottingham@bea.com>
- Date: Wed, 5 Nov 2003 13:40:13 -0800
- To: noah_mendelsohn@us.ibm.com
- Cc: "Xml-Dist-App@W3. Org" <xml-dist-app@w3.org>, Martin Gudgin <mgudgin@microsoft.com>, Yves Lafon <ylafon@w3.org>, Anish Karmarkar <Anish.Karmarkar@oracle.com>
Is there an expectation that putting headers in Representation will also secure the MIME part's headers on the wire when xbinc:Include is used? I don't see a use case for doing so, as long as we're working in the context of a MIME envelope. If we allow xbinc:Include to reference arbitrary resources from the Web, it may become necessary. I do see a case for securing the binding's top-level metadata (in HTTP, the HTTP headers), but that's a separate topic IMO. On Nov 5, 2003, at 7:12 AM, noah_mendelsohn@us.ibm.com wrote: > > Martin Gudgin writes: > >> One reason for specifying information in the >> Representation header is that it can be secured using >> the mechanisms in WS-Security as it's just another >> piece of XML. > > Agreed. I think it's very important to keep the levels straight. > > To meet our use cases, MTOM needs to be more than an optimization > mechanism: it must provide means of carrying MIME-typed information > in a > SOAP Infoset, and optionally indicating that the content in question > is a > cached representation of some Web Resource. That aspect of MTOM is, > IMO, > completely independent of the optimization, or of any particular > embodiment of the optimization as binary in multipart MIME. > > It is also true that our preferred serialization and the proposed HTTP > binding that use it are MIME based, giving us the opportunity to carry > some of the same information in the "on the wire" MIME container. > That is > a completely different level that applies only to bindings that use > that > particular serialization. I can see both sides to the question of > whether > our serialization should explicitly carry indications such as > Content-Type="image/jpeg". That's redundant information available from > the attribute in the Infoset (if available at all). Getting it into > the > MIME envelope will require some tracking of the state of the XML, and > perhaps some XML parsing. The serializer now needs to know not only > that > content is base64 canonical but also the values of attributes > surrounding > it. On the other hand, it clearly is a better use of MIME to > explicitly > indicate the content-type if known than to just label everything as an > OctetStream. So, I'm curious what others think on this question. > > In any case, I am not comfortable with a design that presumes that all > MTOM implementations use the preferred serialization, and that infer > MIME > type information from it. Indeed, we've been very clear that MTOM > content > should travel with full fidelity over the SOAP 1.2 HTTP binding. > > Yves Lafon writes: > >> All those metadata are transient and exists only >> between two binding instances. If you sign it, then the >> verification has to be done at the binding level and >> not at the application level. > > With respect, I don't >think< so. We are proposing attributes to go > on > content in the SOAP infoset. Those attributes carry information about > MIME types, and they represent a contract with (at least) whichever > roles > the headers target, or if in the body with the endpoint. The fact that > particular bindings may optimize on one hop or another is not the > point, I > think. > > Thank you! > > -------------------------------------- > Noah Mendelsohn > IBM Corporation > One Rogers Street > Cambridge, MA 02142 > 1-617-693-4036 > -------------------------------------- > > >
Received on Wednesday, 5 November 2003 16:42:46 UTC