• To: Rich Salz <rsalz@d...>
• Subject: Re: What Does SOAP/WS Do that A REST System Can't?
• From: Joe Gregorio <joe.gregorio@g...>
• Date: Thu, 31 Mar 2005 08:09:26 -0500
• Cc: "xml-dev@l..." <xml-dev@l...>
• Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=dKBNnFQXellPxViqUz8Yvlu4SdE+ztPC4TVAgHLCGZh3DlP3qEKK9zxyhzDON0/Qt6tMSEYoiWyE5hbdL+DxyDMjcmh69+iKyOhw533+f20teUOaC7DHZ4NlLCT6AWzc/zow/opojt8hmYdUnR6551iLsgH2xhSXb1e7uWmaxac=
• In-reply-to: <Pine.LNX.4.44L0.0503310047280.19794-100000@s...>
• References: <3f1451f5050330213723316d7a@m...> <Pine.LNX.4.44L0.0503310047280.19794-100000@s...>
• Reply-to: Joe Gregorio <joe.gregorio@g...>

On Thu, 31 Mar 2005 01:00:29 -0500 (EST), Rich Salz <rsalz@d...> wrote:
> I didn't think I was arguing SOAP v REST.  Tweaking some claims,
> perhaps. :)
> 
> >   Yes, Digest does include the URI in the hash.
> 
> The more correct synopsis would add "but Digest isn't practical"

For your context in which you are working that may be true, and I accept that.

> >   Yes, SLL is tied to the IP address of the server being accessed.
> 
> Here the text to add is "or an entity in 'front of' the server
> terminating the SSL connection."
> 

You have mentioned this before, but is there anything 
which stops you from using TLS/SSL on all the hops
*after* the firewall?

> > And POE does exactly that, if you miss the reply to your POST
> > then do your POST again, if you get a 405 then you know that the
> > first POST went through and you can do a GET on the
> > same URI to get the response body.
> 
> I don't think POE works without first doing a GET so that you
> can get the POE-Links URL to tell you where to go if you're
> POST doesn't get a response.  

That first GET is for the hypertext that contains the POE link, correct.
That's part of the 'hypermedia as the engine of application state", but
let's not go there :)

> Nor does POE have a strong way
> to prevent anyone else from getting the response, either.

I understand that you have issues with the current authentication
and encryption mechanisms for HTTP. 

What I don't understand is the underlying assumption that 
Basic and Digest are the end of the line for HTTP authentication. 
RFC 2617 not only defines Basic and Digest but puts in 
place a framework for adding new mechanisms.
In fact, two such extensions have been proffered during the course
of the Atom discussions[1][2], with the WSSE based mechanism being
adopted by TypePad and, until recently, Blogger. Blogger has since
switched to using Basic over SSL.

   -joe

[1] http://bitworking.org/news/New_AtomAPI_Implementation_Release2
[2] http://www.xml.com/pub/a/2003/12/17/dive.html

-- 
Joe Gregorio        http://bitworking.org

• Follow-Ups:
  • Re: What Does SOAP/WS Do that A REST System Can't?
    • From: Rich Salz <rsalz@d...>

• References:
  • Re: What Does SOAP/WS Do that A REST System Can't?
    • From: Joe Gregorio <joe.gregorio@g...>
  • Re: What Does SOAP/WS Do that A REST System Can't?
    • From: Rich Salz <rsalz@d...>

• Prev by Date: RE: Problem parsing XML file with Xerces-J
• Next by Date: RE: SOAP for non-RPC messaging application
• Previous by thread: Re: What Does SOAP/WS Do that A REST System Can't?
• Next by thread: Re: What Does SOAP/WS Do that A REST System Can't?
• Index(es):
  • Date
  • Thread