Re: [DotGNU]Microsoft guru: Stamp out HTTP

[Carsten Kuckuk]

There are some point I want to make:

(1) The "Microsoft Guy" mentioned is Don Box. I've attended one
of his presentations last week. He just joined Microsoft in
January 2002. Before that, he had his own company, and he was
the co-author of the original SOAP-specification.

(2) Just take his remarks as a scientifical observation: HTTP
is not suitable for peer-to-peer communication, but it's perfect
for a client-server world.

(3) SOAP is just the latest incarnation of a remote procedure call.
Before it, we had XML-RPC, RMI (from sun), CORBA's IIOP,
DCE-RPC from the Unix world and lots of others. Technically they
have more in common than they differ. It's allway a way to encode
a function call in a data packet, open up a Telnet connection, send
that packet and wait for a reply. After a while, people recognize
that they need well-known names and invent repositories, and then
they invent a way to publish services. "Not invented here" syndrome.
Deja vu all over again.

(4) Most of the above-mentioned protocols lack security: Everybody
can connect to a socket and dump a data packet, in clear-text nevertheless,
and will most likely get a reply. This is heaven for Three-Letter-Agencies,
as they can watch all communication going on in clear-text, and makes
life pretty easy for wannabehackers. Even when authentication is included,
the protocols are still a good target for DoS-attacks, as most of them
read the full packet first, decode it, and only then discover that they
can discard it.

(5) Don Box is right in that HTTP is ubiquitious and thus is the protocol
of first choice for practical reasons. He's also right in that
SOAP-over-HTTP
is not suitable for P2P: You can only initiate a SOAP-call from within a
company, but you can't call a particular computer inside a company's
network from outside that network, because the firewalls won't allow that.

Good for our security, but bad for, well, the Borg.

Carsten Kuckuk