You completely missed the point of my post.
HTTPS is just as bad as HTTP as a URL for a Web Service.
HTTP is a low level protocol, the layering of the Web service on HTTP
or SOAP over HTTP or whatever should be abstracted away in the Web
Service URI. Just like we abstract away the fact we are using TCP/IP.
Removing the clutter allows us to reclaim the URI for use by the Web
Service. At the moment the URI that is submitted to the Web Server has
a mixture of information relevant to the protocol and irrelevant
details that have to do with the administration of the Web Service.
Specifying irrelevant details in the URI makes operation of the
service dependent on them being filled out. Which in turn means that
they are difficult to change. We are creating an unnecessary
management trap for ourselves.
Not specifying those details and allowing them to be filled in using
information from the DNS (SRV records, hints, etc) or defaults means
that THOSE DEFAULTS CAN NOW BE CHANGED WITHOUT IMPACTING SERVICE.
Take your example of using HTTPS. The notion of changing the URI stem
to turn on security is a really bad design. It has left us with a Web
where SSL is the Sunday best you put on for special occasions, not
regular wear. (SSL upgrade could help but is vulnerable to downgrade
attack).
What you really want to have as the 'open socket' API is something like:
OpenWebService (In String dns_name, In String service_prefix, In Enum
minimum_trust,
Out Socket socket)
Where minimum_trust is NONE, DomainValidated, OrganizationValidated,
ExtendedValidated)
Just as the standard open call does a number of procedures under the
covers, this API would be doing the SRV failover processing, working
out if upgrade was possible, required, doing path math etc.)
Now APIs are not part of IETF purview. But what is and should be is
creating the conditions that make a highly generic API possible. The
API above only works if the Web Service we want to use conforms to a
particular standard calling mechanism. And that standard should come
from either the IETF or W3C.
The reason that an API is necessary and important is that while it is
easy to implement that in C or C#, it is a heck of a lot of hassle to
do the same in Perl or any of the scripting languages people want to
use - relative to the rest of the code they are writing.
On Sat, Jun 12, 2010 at 12:24 AM, Masataka Ohta
<mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
Phillip Hallam-Baker wrote:
The URI syntax you specify is only used for some protocols and most of
the elements are defaulted. In fact we have got to the point where for
Web browsing everything is defaulted except for the domain name.
The point was to change the default of 80.
I think we need to break the idea that a Web service should have a URL
that starts HTTP.
Try https.
Under the covers this would of course expand via SRV to a http URL,
SRV answer gives port numbers and addresses, not a URL.
Masataka Ohta
--
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf