OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-bindings message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: SOAP 1.1 Protocol Binding

Evan,

The protocol binding needs to be very specific about how it is bound to SOAP
1.1.  In particular, the binding to SOAP 1.1 RPC over HTTP should be very
explicit.  SOAP 1.1 binding is different than SOAP 1.1 RPC binding (SOAP 1.1
is 1-way, RPC is well, RPC).  Feel free to forward your response to
security-services if you think the overall TC should be interested in this
exchange.  

I suggest the following
o SOAPAction must not be used.  Rationale, SOAP 1.2 will be deprecating or
minimizing it's usage.
o Preclude trailers.  SOAP 1.1 leaves trailers undefined
o Headers should be specified explicitly, and how intermediaries will deal
with them.
o It should be called out whether Actor and MustUnderstand are required for
headers or not.
o The use of order in headers needs to be called out, is it lexical or some
other order?
o The behaviour of Header errors needs to be called out.  Note that SOAP
precludes the use of Fault Codes for header errors.  What if order is
invalid?  What if not all mustUnderstand="1" headers were processed?  Are
multiple headers for an intermediary atomic (do all mustUnderstand="1" or
rollback?).
o The contents of FaultDetails should be specified IFF we want to allow
multiple returns.  This is how SOAP is designed for multiple errors.
o 4.6.1 "The parties MUST NOT add signatures in either the headers or the
envelope of the SOAP message.".  Are you serious?  Say an intermediary
processes a header (mustUnderstand="1") and changes the attribute to
(hasUnderstood="1", SOAP 1.2 proposal) and adds a signature to indicate
secure that it processed the header.  Why preclude that?.  
o The processing model of intermediaries is very unclear here.  Imagine 2
cases: 1) Author wants to specify the exact route of a message through
intermediaries; 2) Author wants multiple intermediaries, but it only knows
the first node.  How are headers constructed differently based on these 2
processing models.

Cheers,
Dave

> -----Original Message-----
> From: Evan Prodromou [mailto:eprodromou@securant.com]
> Sent: Tuesday, June 12, 2001 7:32 PM
> To: security-bindings@lists.oasis-open.org
> Subject: SOAP 1.1 Protocol Binding
> 
> 
> Attached is a first draft of the SOAP 1.1 protocol binding. It's
> fairly detailed, but the essential message of the protocol binding
> ("put queries and responses in message bodies") is extremely simple.
> 
> Thanks for your patience on this.
> 
> ~ESP
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC