- From: David Hull <dmh@tibco.com>
- Date: Wed, 11 Jan 2006 14:02:01 -0500
- To: Mark Baker <distobj@acm.org>
- Cc: xml-dist-app@w3.org
- Message-id: <43C55629.405@tibco.com>
Mark Baker wrote: >On 1/10/06, David Hull <dmh@tibco.com> wrote: > > >> One small clarification. The sentence "The only problem appears to be that >>the resulting SOAP 'request' and 'response' messages aren't correlated in >>the usual manner." may seem to state that the usual rules of HTTP >>request-response are not in effect, which was not my intent and is >>definitely not what the rest of the piece is saying. It would probably have >>been better to say something more like "The only problem appears to be that >>the resulting SOAP request and response messages can also be interpreted as >>part of a message flow completely distinct from the HTTP request-response >>flow." >> >> > >Thanks for the clarification, David, I agree that the replacement text >describes a less serious problem than the original text. It's still a >problem though (as you note) from a transfer binding POV, > I believe I said, "This problem, if it is a problem at all, is of no concern to anything that just looks at HTTP." >and it does >still impact HTTP intermediaries, in particular in this case, >firewalls, which require knowing what's a request and what's a >response to do their job properly. Consider that if SOAP requests >could arrive as HTTP responses (PAOS anyone?), that this would be a >serious security problem. > > At the risk of sounding repetitious, what do you see as the security (or other) problem? >Mark. > > >
Received on Wednesday, 11 January 2006 19:02:21 UTC