[
Lists Home |
Date Index |
Thread Index
]
Buried among the various debates was one point that I'd like to bring to
the forefront. Firewall avoidance is either part of SOAP's mission or it
isn't. Maybe SOAP uses HTTP as if it were a transport protocol merely
because it's "easier" to plug into HTTP-centric architectures than to
talk sockets (arguable, but anyhow). In that case firewall avoidance
would be an accident.
So here's a simple test we can do. If we can all come to consensus that
firewall avoidance is a BAD THING then we can put together a petition
that SOAP should use HTTP but simply on a different port. The SOAP
specification should say: "Applications of SOAP MUST NOT use port 80
unless they adhere to all of the semantics of HTTP.*"
This seems like common sense to me. If you're using HTTP's port a
responsible developer will follow HTTP semantics. If you're not, you
choose a different port. You can absolutely use HTTP tools, just don't
pass yourself off as HTTP. Yes, I know that SOAP isn't the only HTTP
abuser ... I really don't see that as an argument in favour of further
abuse!
All in favour? We can easily shut that loony Bruce Schneier up! And it
strikes me as a near boolean test of whether SOAP is "fer" firewall
security or "agen" it.
Paul Prescod
* Semantics of HTTP: The addresses of all resources being manipulated
should be expressed in the end-point URI, not the SOAP body. POST should
not be used for safe, idempotent fetching of information.
|
