- From: John Kemp <john.kemp@nokia.com>
- Date: Fri, 13 Jan 2006 10:44:26 -0500
- To: ext Mark Baker <distobj@acm.org>
- Cc: xml-dist-app@w3.org
Hi Mark, Ultimately, it's the case that a PAOS-capable user-agent should be aware of related security considerations -- a PAOS-capable user-agent cannot rely on being protected by a firewall. In any case, this security consideration is noted directly in the PAOS specification (section 12 of [1]). In particular, PAOS-capable user-agent implementations are recommended to authenticate the requester via TLS/ SSL with certificate verification, an option certainly available to most existing user-agents. Such authentication may of course be performed by an intermediary (which may or may not specifically care about SOAP or PAOS) prior to dispatching the (SOAP) message to the PAOS-capable user-agent. Cheers, - JohnK [1] http://www.projectliberty.org/specs/liberty-paos-v1.1.pdf On Jan 12, 2006, at 9:12 PM, ext Mark Baker wrote: > Hi John, > > On 1/12/06, John Kemp <john.kemp@nokia.com> wrote: >> Firewalls certainly come in different varieties, and some will be >> smarter than others. But as something to which a SOAP message has >> been dispatched (whether it's a SOAP request or a SOAP response) why >> is it any more of a security risk to be dispatched a (SOAP) request >> message that was in response to an (HTTP) message I sent than it is >> to get a SOAP response to a SOAP request I sent? > > Because only requests are attempts to access services, and it's access > to services that a firewall is trying to mediate. > >> From a course- >> grained firewall (one that doesn't inspect the contents of the HTTP >> response I guess) perspective, the HTTP response is still related to >> the request that was sent, and the HTTP response is sent back to the >> agent that initiated the HTTP request -- in both cases. > > "Related" isn't sufficient information for the firewall to do its job. > >> >> Speaking only to the PAOS question, I would note that the user agent >> receiving the HTTP response here will have explicitly advertised the >> service it offers specifically to the HTTP server with which it is >> interacting (via the PAOS HTTP header, during the HTTP request), >> making this more secure in some respects than the reception of an >> unsolicited SOAP request, which was not initiated by some action at >> the associated user agent (such as the user explicitly requesting >> some URL). > > It makes it more visible to intermediaries that know to look for that > feature, enabling them to recognize the related incoming request if > they want to ... which is all well and fine, but no help at all to the > millions of existing firewalls which rely *only* on HTTP semantics to > distinguish request and response. > > Mark.
Received on Friday, 13 January 2006 15:45:00 UTC