OpenVMS Book Wins award

Printable View

10-20-2008, 05:36 PM
unix

OpenVMS Book Wins award

The Minimum You Need to Know About Service Orieted Architecture by
Roland Hughes

Award-Winner in the Business: Technology/Computers/Internet category
of the National Best Books 2008 Awards, sponsored by USA Book News

You can find this book in Island Computer's Web store.
10-20-2008, 05:38 PM
unix

Re: OpenVMS Book Wins award

Congratulations Roland!!!!!
Finally...

--
David B Turner

=============================================

Island Computers US Corp
PO Box 86
Tybee GA 31328

Toll Free: 1-877 636 4332 x201, Mobile x251
Email: [email]dturner@islandco.com[/email]
International & Local: (001)- 404-806-7749
Fax: 912 786 8505
Web: [url]www.islandco.com[/url]

=============================================
"yyyc186" <yyyc186@hughes.net> wrote in message
news:ee65a5f3-cba1-40a5-829f-59998aa33af5@o4g2000pra.googlegroups.com...[color=blue]
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News
>
> You can find this book in Island Computer's Web store.[/color]
10-20-2008, 06:21 PM
unix

RE: OpenVMS Book Wins award

[color=blue]
> -----Original Message-----
> From: yyyc186 [mailto:yyyc186@hughes.net]
> Sent: Monday, October 20, 2008 1:37 PM
> To: [email]Info-VAX@Mvb.Saic.Com[/email]
> Subject: OpenVMS Book Wins award
>
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News
>
> You can find this book in Island Computer's Web store.[/color]

Hey, very coooll ..

:-)

Additional info:

[url]http://www.usabooknews.com/bestbooksawards2008.html[/url]
scroll down to:
Business: Technology/Computers/Internet

Winner:
The Minimum You Need to Know About Service Oriented Architecture by Roland Hughes Logikal Solutions

ISBN 978-0-9770866-6-5

Some earlier feedback on the book:
[url]http://www.openvms.org/stories.php?story=08/09/27/8565098[/url]

Regards

Kerry Main
Senior Consultant
HP Services Canada
Voice: 613-254-8911
Fax: 613-591-4477
kerryDOTmainAThpDOTcom
(remove the DOT's and AT)

OpenVMS - the secure, multi-site OS that just works.
10-20-2008, 09:37 PM
unix

Re: OpenVMS Book Wins award

On Oct 20, 12:36*pm, yyyc186 <yyyc...@hughes.net> wrote:[color=blue]
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News
>
> You can find this book in Island Computer's Web store.[/color]

Congratulations, Roland. That is wonderful.

Rich
10-21-2008, 06:59 AM
unix

Re: OpenVMS Book Wins award

On 20 Oct, 18:36, yyyc186 <yyyc...@hughes.net> wrote:[color=blue]
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News
>
> You can find this book in Island Computer's Web store.[/color]

This is the part where the people around here who have not bought one
of Roland's book rush to island computers web site and buy one.
....
10-21-2008, 03:40 PM
unix

Re: OpenVMS Book Wins award

On Oct 21, 1:59*am, IanMiller <g...@uk2.net> wrote:[color=blue]
> On 20 Oct, 18:36, yyyc186 <yyyc...@hughes.net> wrote:
>[color=green]
> > The Minimum You Need to Know About Service Orieted Architecture by
> > Roland Hughes[/color]
>[color=green]
> > Award-Winner in the Business: Technology/Computers/Internet category
> > of the National Best Books 2008 Awards, sponsored by USA Book News[/color]
>[color=green]
> > You can find this book in Island Computer's Web store.[/color]
>
> This is the part where the people around here who have not bought one
> of Roland's book rush to island computers web site and buy one.
> ...[/color]

ROFLMAO

Somehow I doubt that will happen Ian, but thanks for the thought!

Roland
10-21-2008, 11:39 PM
unix

Re: OpenVMS Book Wins award

yyyc186 wrote:[color=blue]
>
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News
>
> You can find this book in Island Computer's Web store.[/color]

Great job, Roland!

Excellent!

D.J.D.
10-24-2008, 01:12 AM
unix

Re: OpenVMS Book Wins award

yyyc186 wrote:[color=blue]
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News[/color]

Congratulations Roland!

(I purchased it when AU$ was almost at US$ parity :-)
[color=blue]
> You can find this book in Island Computer's Web store.[/color]
10-25-2008, 12:06 AM
unix

Banana Republic (was Re: OpenVMS Book Wins award)

Hi Mark,
[color=blue]
> (I purchased it when AU$ was almost at US$ parity :-)[/color]

Aaah, it seems like only weeks ago :-(

Cheers Richard Maher

PS. Just in case you don't subscribe to the WHATWG mailing list, do you have
any interest in, or opinions on the following: -

----- Original Message -----
From: "Shannon"
To: "WHAT working group" >
Sent: Tuesday, October 14, 2008 7:22 AM
Subject: [whatwg] WebSocket and proxies

[color=blue]
> In the process of testing my WebSocket proposal I discovered the CONNECT
> method has a major restriction. Most proxies disable CONNECT to anything
> but port 443.
>
> The following is from "Squid and the Blowfish":
> ------------------
> It is very important that you stop CONNECT type requests to non-SSL
> ports. The CONNECT method allows data transfer in any direction at any
> time, regardless of the transport protocol used. As a consequence, a
> malicious user could telnet(1) to a (very) badly configured proxy, enter
> something like:
> ... snip example ...
> and end up connected to the remote server, as if the connection was
> originated by the proxy.
> -------------------
>
> I verified that Squid and all public proxies I tried disable CONNECT by
> default to non-SSL ports. It's unlikely many internet hosts will have
> 443 available for WebSockets if they also run a webserver. It could be
> done with virtual IPs or dedicated hosts but this imposes complex
> requirements and costs over alternatives like CGI.
>
> The availability and capabilities of the OPTIONS and GET protocols also
> varied from proxy to proxy. The IETF draft related to TLS
> ([url]http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05[/url]) has this to[/color]
say:[color=blue]
>
> -------------------
> 3.2 Mandatory Upgrade
>
> If an unsecured response would be unacceptable, a client MUST send
> an OPTIONS request first to complete the switch to TLS/1.0 (if
> possible).
>
> OPTIONS * HTTP/1.1
> Host: example.bank.com
> Upgrade: TLS/1.0
> Connection: Upgrade
> -------------------
>
> So according to this draft spec OPTIONS is the only way to do a
> *mandatory* upgrade of our connection. Once again this failed in testing
>
> -------------------
> => OPTIONS * HTTP/1.1
> => Proxy-Connection: keep-alive
> => Connection: Upgrade
> => Upgrade: WebSocket/1.0
> => Host: warriorhut.org:8000
> =>
> <= HTTP/1.0 400 Bad Request
> <= Server: squid/3.0.STABLE8
> --------------------
>
> Other proxies gave different errors or simply returned nothing. The
> problem may be related to the Upgrade and Connection headers rather than
> OPTIONS, since I had similar issues using Connection: Upgrade with GET.
>
> I had the most success using GET without a Connection: Upgrade header.
> It seems that the proxy thinks the header is directed at it so it does
> not pass it on to the remote host. In many cases it will abort the
> connection. Using the Upgrade: header without Connection allows the
> Upgrade header through to the actual websocket service.
>
> It seems to me that whatever we try in many cases the connection will be
> silently dropped by the proxy and the reasons will be unclear due to the
> lack of error handling. There seems to be a wide variation in proxy
> behaviour for uncommon operations. I suppose proxy developers could fix
> these issues but whether a significant rollout could be achieved before
> HTML5 is released is questionable.
>
> Given that an asynchronous connection cannot be cached the only reasons
> remaining for going through a proxy are anonymity and firewall
> traversal. Automatically bypassing the users proxy configuration to
> solve the issues above has the potential to break both of these. It
> would be a significant breach of trust for a UA to bypass the users
> proxy and some networks only allow connections via a proxy (for security
> and monitoring).
>
> It seems that we're stuck between a rock and hard place here. In light
> of this I reiterate my earlier suggestion that the time could be better
> spent providing guidelines for communication via an asynchronous CGI
> interface. This would allow reuse of existing port 80 and 443 web
> services which would resolve the cross-domain issues (the CGI can relay
> the actual service via a backend connection) and most of the proxy
> issues above (since proxy GET and CONNECT are more reliable on these[/color]
ports).[color=blue]
>
> Shannon
>[/color]

"Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
news:01110d0c$0$20616$c3e8da3@news.astraweb.com...[color=blue]
> yyyc186 wrote:[color=green]
> > The Minimum You Need to Know About Service Orieted Architecture by
> > Roland Hughes
> >
> > Award-Winner in the Business: Technology/Computers/Internet category
> > of the National Best Books 2008 Awards, sponsored by USA Book News[/color]
>
> Congratulations Roland!
>
> (I purchased it when AU$ was almost at US$ parity :-)
>[color=green]
> > You can find this book in Island Computer's Web store.[/color][/color]
10-25-2008, 01:19 PM
unix

Re: Banana Republic (was Re: OpenVMS Book Wins award)

Richard Maher wrote:[color=blue]
> Hi Mark,
>[color=green]
>> (I purchased it when AU$ was almost at US$ parity :-)[/color]
>
> Aaah, it seems like only weeks ago :-([/color]

I bought it through Barnes and Noble in late May '08 for US$36.00 plus
US$13.00 P&P, and I think my credit card statement said something like
AU$52.00 so it was right at the 'peak'. Why the AU$ currently should be
at US$0.65 now escapes me - perhaps that's one reason I'm still working
for wages.

It was a good 'background' read but not directly applicable to my
daytime duty statement these days. I had not (as I indicated to Roland
I might) gotten around to a public review (that would have required a
second read). Willem Grooters provided one I'd generally endorse.

At around the same time I purchased Heller's, "Catch 22" (shipped to one
of my daughters), Earl's, "Digital Equipment Corporation (MA) (Images
of America)", and Schein's, "DEC Is Dead, Long Live DEC"; all good
reads and all for different reasons. With the exchange rate more like
2:3 I might have to think think more carefully. (The Earl soft-cover is
a particularly easy but also interesting 'read' I'd recommend to all
interested in DEC :-)
[color=blue]
> Cheers Richard Maher
>
> PS. Just in case you don't subscribe to the WHATWG mailing list, do you have
> any interest in, or opinions on the following: -[/color]

No I don't and indirectly I guess I do.

That any network connectivity has some sandboxing doesn't exactly
surprise me. A network conduit (like SSH or HTTP CONNECT) is carte
blanche for whatever the agent wishes to transfer. No constraint would
be considered negligence.

I'm guessing you mention this because the suggestion below that

"that the time could be better spent providing guidelines for
communication via an asynchronous CGI [originally I read GUI :-]
interface."

sounds remarkably like Tier3 :-)

I agree; why would anyone spend time abstracting interfaces if a
monolithic solution is all that is currently required? Of course this
is an entirely fresh (if not novel) discussion point ...
[color=blue]
> ----- Original Message -----
> From: "Shannon"
> To: "WHAT working group" >
> Sent: Tuesday, October 14, 2008 7:22 AM
> Subject: [whatwg] WebSocket and proxies
>
>[color=green]
>> In the process of testing my WebSocket proposal I discovered the CONNECT
>> method has a major restriction. Most proxies disable CONNECT to anything
>> but port 443.
>>
>> The following is from "Squid and the Blowfish":
>> ------------------
>> It is very important that you stop CONNECT type requests to non-SSL
>> ports. The CONNECT method allows data transfer in any direction at any
>> time, regardless of the transport protocol used. As a consequence, a
>> malicious user could telnet(1) to a (very) badly configured proxy, enter
>> something like:
>> ... snip example ...
>> and end up connected to the remote server, as if the connection was
>> originated by the proxy.
>> -------------------
>>
>> I verified that Squid and all public proxies I tried disable CONNECT by
>> default to non-SSL ports. It's unlikely many internet hosts will have
>> 443 available for WebSockets if they also run a webserver. It could be
>> done with virtual IPs or dedicated hosts but this imposes complex
>> requirements and costs over alternatives like CGI.
>>
>> The availability and capabilities of the OPTIONS and GET protocols also
>> varied from proxy to proxy. The IETF draft related to TLS
>> ([url]http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05[/url]) has this to[/color]
> say:[color=green]
>> -------------------
>> 3.2 Mandatory Upgrade
>>
>> If an unsecured response would be unacceptable, a client MUST send
>> an OPTIONS request first to complete the switch to TLS/1.0 (if
>> possible).
>>
>> OPTIONS * HTTP/1.1
>> Host: example.bank.com
>> Upgrade: TLS/1.0
>> Connection: Upgrade
>> -------------------
>>
>> So according to this draft spec OPTIONS is the only way to do a
>> *mandatory* upgrade of our connection. Once again this failed in testing
>>
>> -------------------
>> => OPTIONS * HTTP/1.1
>> => Proxy-Connection: keep-alive
>> => Connection: Upgrade
>> => Upgrade: WebSocket/1.0
>> => Host: warriorhut.org:8000
>> =>
>> <= HTTP/1.0 400 Bad Request
>> <= Server: squid/3.0.STABLE8
>> --------------------
>>
>> Other proxies gave different errors or simply returned nothing. The
>> problem may be related to the Upgrade and Connection headers rather than
>> OPTIONS, since I had similar issues using Connection: Upgrade with GET.
>>
>> I had the most success using GET without a Connection: Upgrade header.
>> It seems that the proxy thinks the header is directed at it so it does
>> not pass it on to the remote host. In many cases it will abort the
>> connection. Using the Upgrade: header without Connection allows the
>> Upgrade header through to the actual websocket service.
>>
>> It seems to me that whatever we try in many cases the connection will be
>> silently dropped by the proxy and the reasons will be unclear due to the
>> lack of error handling. There seems to be a wide variation in proxy
>> behaviour for uncommon operations. I suppose proxy developers could fix
>> these issues but whether a significant rollout could be achieved before
>> HTML5 is released is questionable.
>>
>> Given that an asynchronous connection cannot be cached the only reasons
>> remaining for going through a proxy are anonymity and firewall
>> traversal. Automatically bypassing the users proxy configuration to
>> solve the issues above has the potential to break both of these. It
>> would be a significant breach of trust for a UA to bypass the users
>> proxy and some networks only allow connections via a proxy (for security
>> and monitoring).
>>
>> It seems that we're stuck between a rock and hard place here. In light
>> of this I reiterate my earlier suggestion that the time could be better
>> spent providing guidelines for communication via an asynchronous CGI
>> interface. This would allow reuse of existing port 80 and 443 web
>> services which would resolve the cross-domain issues (the CGI can relay
>> the actual service via a backend connection) and most of the proxy
>> issues above (since proxy GET and CONNECT are more reliable on these[/color]
> ports).[color=green]
>> Shannon
>>[/color]
>
> "Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
> news:01110d0c$0$20616$c3e8da3@news.astraweb.com...[color=green]
>> yyyc186 wrote:[color=darkred]
>>> The Minimum You Need to Know About Service Orieted Architecture by
>>> Roland Hughes
>>>
>>> Award-Winner in the Business: Technology/Computers/Internet category
>>> of the National Best Books 2008 Awards, sponsored by USA Book News[/color]
>> Congratulations Roland!
>>
>> (I purchased it when AU$ was almost at US$ parity :-)
>>[color=darkred]
>>> You can find this book in Island Computer's Web store.[/color][/color][/color]
10-28-2008, 12:09 PM
unix

Re: Banana Republic (was Re: OpenVMS Book Wins award)

Hi Mark,

Thanks for the reply.
[color=blue]
> I bought it through Barnes and Noble in late May '08 for US$36.00 plus
> US$13.00 P&P, and I think my credit card statement said something like
> AU$52.00 so it was right at the 'peak'. Why the AU$ currently should be
> at US$0.65 now escapes me - perhaps that's one reason I'm still working
> for wages.[/color]

I looked seriously at Perth Mint gold in August (when the bank deposit
guarantee was sweet FA) and Foreign Currency accounts aren't as common here
as they are in the UK. Either way I would (and have) lost big time - but
haven't we all :-(
[color=blue]
> That any network connectivity has some sandboxing doesn't exactly
> surprise me.[/color]

Me either! I'm a big fan of the same-origin, or codebase, policy for Applets
but these guys just want to keep pushing the envelope.
[color=blue]
> A network conduit (like SSH or HTTP CONNECT) is carte
> blanche for whatever the agent wishes to transfer. No constraint would
> be considered negligence.[/color]

Yeah, but here I bow to your much greater experience and ask "What the hell
can a *Socket not HTTP* proxy-server do for me?". Look I wanted a HTTP
CONNECT handshake to give me a Tunnel for my Socket over a httpS connection
to an arbitray TCP/IP server, but it doesn't look doable; please advise.

I also view with interest what the Comet guys are doing with Orbited (see
[url]www.cometdaily.com[/url] for some background) as they don't seem to be bound by
(or have already solved) these proxy-server restrictions.
[color=blue]
> I'm guessing you mention this because the suggestion below that
>
> "that the time could be better spent providing guidelines for
> communication via an asynchronous CGI [originally I read GUI :-]
> interface."
>
> sounds remarkably like Tier3 :-)[/color]

Damn, I'm as transparent and one-domensional as usual :-)

The way I see it is we have two camps (and I'm happy to live with the
pluralism and think there's enough room for everyone).

1) The WebSockets http/html5 guys who have the distinct (and only) advantage
of being able to tunnel out of 80/443 as HTTP

2) The New Order of full-blown, connection-oriented, full-duplex, binary,
Socket Interaction

If Sockets can't traverse public proxy-servers with existing HTTP then
option 1 is no longer on the table as far as I can see?

Anyway, please let me ask the question of why anyone would want to use a
proxy-server for Socket communication?

.. Socket Cacheing - No Thanks
.. Limited client IP addresses - IPV6
.. Anonymity - Not always a good thing
.. Firewall - Open up connections to/from valid hosts/ports
.. Monitoring/filtering - Requirements spec for binary data

Cheers Richard Maher

"Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
news:011308d4$0$20645$c3e8da3@news.astraweb.com...[color=blue]
> Richard Maher wrote:[color=green]
> > Hi Mark,
> >[color=darkred]
> >> (I purchased it when AU$ was almost at US$ parity :-)[/color]
> >
> > Aaah, it seems like only weeks ago :-([/color]
>
> I bought it through Barnes and Noble in late May '08 for US$36.00 plus
> US$13.00 P&P, and I think my credit card statement said something like
> AU$52.00 so it was right at the 'peak'. Why the AU$ currently should be
> at US$0.65 now escapes me - perhaps that's one reason I'm still working
> for wages.
>
> It was a good 'background' read but not directly applicable to my
> daytime duty statement these days. I had not (as I indicated to Roland
> I might) gotten around to a public review (that would have required a
> second read). Willem Grooters provided one I'd generally endorse.
>
> At around the same time I purchased Heller's, "Catch 22" (shipped to one
> of my daughters), Earl's, "Digital Equipment Corporation (MA) (Images
> of America)", and Schein's, "DEC Is Dead, Long Live DEC"; all good
> reads and all for different reasons. With the exchange rate more like
> 2:3 I might have to think think more carefully. (The Earl soft-cover is
> a particularly easy but also interesting 'read' I'd recommend to all
> interested in DEC :-)
>[color=green]
> > Cheers Richard Maher
> >
> > PS. Just in case you don't subscribe to the WHATWG mailing list, do you[/color][/color]
have[color=blue][color=green]
> > any interest in, or opinions on the following: -[/color]
>
> No I don't and indirectly I guess I do.
>
> That any network connectivity has some sandboxing doesn't exactly
> surprise me. A network conduit (like SSH or HTTP CONNECT) is carte
> blanche for whatever the agent wishes to transfer. No constraint would
> be considered negligence.
>
> I'm guessing you mention this because the suggestion below that
>
> "that the time could be better spent providing guidelines for
> communication via an asynchronous CGI [originally I read GUI :-]
> interface."
>
> sounds remarkably like Tier3 :-)
>
> I agree; why would anyone spend time abstracting interfaces if a
> monolithic solution is all that is currently required? Of course this
> is an entirely fresh (if not novel) discussion point ...
>[color=green]
> > ----- Original Message -----
> > From: "Shannon"
> > To: "WHAT working group" >
> > Sent: Tuesday, October 14, 2008 7:22 AM
> > Subject: [whatwg] WebSocket and proxies
> >
> >[color=darkred]
> >> In the process of testing my WebSocket proposal I discovered the[/color][/color][/color]
CONNECT[color=blue][color=green][color=darkred]
> >> method has a major restriction. Most proxies disable CONNECT to[/color][/color][/color]
anything[color=blue][color=green][color=darkred]
> >> but port 443.
> >>
> >> The following is from "Squid and the Blowfish":
> >> ------------------
> >> It is very important that you stop CONNECT type requests to non-SSL
> >> ports. The CONNECT method allows data transfer in any direction at any
> >> time, regardless of the transport protocol used. As a consequence, a
> >> malicious user could telnet(1) to a (very) badly configured proxy,[/color][/color][/color]
enter[color=blue][color=green][color=darkred]
> >> something like:
> >> ... snip example ...
> >> and end up connected to the remote server, as if the connection was
> >> originated by the proxy.
> >> -------------------
> >>
> >> I verified that Squid and all public proxies I tried disable CONNECT by
> >> default to non-SSL ports. It's unlikely many internet hosts will have
> >> 443 available for WebSockets if they also run a webserver. It could be
> >> done with virtual IPs or dedicated hosts but this imposes complex
> >> requirements and costs over alternatives like CGI.
> >>
> >> The availability and capabilities of the OPTIONS and GET protocols also
> >> varied from proxy to proxy. The IETF draft related to TLS
> >> ([url]http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05[/url]) has this to[/color]
> > say:[color=darkred]
> >> -------------------
> >> 3.2 Mandatory Upgrade
> >>
> >> If an unsecured response would be unacceptable, a client MUST send
> >> an OPTIONS request first to complete the switch to TLS/1.0 (if
> >> possible).
> >>
> >> OPTIONS * HTTP/1.1
> >> Host: example.bank.com
> >> Upgrade: TLS/1.0
> >> Connection: Upgrade
> >> -------------------
> >>
> >> So according to this draft spec OPTIONS is the only way to do a
> >> *mandatory* upgrade of our connection. Once again this failed in[/color][/color][/color]
testing[color=blue][color=green][color=darkred]
> >>
> >> -------------------
> >> => OPTIONS * HTTP/1.1
> >> => Proxy-Connection: keep-alive
> >> => Connection: Upgrade
> >> => Upgrade: WebSocket/1.0
> >> => Host: warriorhut.org:8000
> >> =>
> >> <= HTTP/1.0 400 Bad Request
> >> <= Server: squid/3.0.STABLE8
> >> --------------------
> >>
> >> Other proxies gave different errors or simply returned nothing. The
> >> problem may be related to the Upgrade and Connection headers rather[/color][/color][/color]
than[color=blue][color=green][color=darkred]
> >> OPTIONS, since I had similar issues using Connection: Upgrade with GET.
> >>
> >> I had the most success using GET without a Connection: Upgrade header.
> >> It seems that the proxy thinks the header is directed at it so it does
> >> not pass it on to the remote host. In many cases it will abort the
> >> connection. Using the Upgrade: header without Connection allows the
> >> Upgrade header through to the actual websocket service.
> >>
> >> It seems to me that whatever we try in many cases the connection will[/color][/color][/color]
be[color=blue][color=green][color=darkred]
> >> silently dropped by the proxy and the reasons will be unclear due to[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> >> lack of error handling. There seems to be a wide variation in proxy
> >> behaviour for uncommon operations. I suppose proxy developers could fix
> >> these issues but whether a significant rollout could be achieved before
> >> HTML5 is released is questionable.
> >>
> >> Given that an asynchronous connection cannot be cached the only reasons
> >> remaining for going through a proxy are anonymity and firewall
> >> traversal. Automatically bypassing the users proxy configuration to
> >> solve the issues above has the potential to break both of these. It
> >> would be a significant breach of trust for a UA to bypass the users
> >> proxy and some networks only allow connections via a proxy (for[/color][/color][/color]
security[color=blue][color=green][color=darkred]
> >> and monitoring).
> >>
> >> It seems that we're stuck between a rock and hard place here. In light
> >> of this I reiterate my earlier suggestion that the time could be better
> >> spent providing guidelines for communication via an asynchronous CGI
> >> interface. This would allow reuse of existing port 80 and 443 web
> >> services which would resolve the cross-domain issues (the CGI can relay
> >> the actual service via a backend connection) and most of the proxy
> >> issues above (since proxy GET and CONNECT are more reliable on these[/color]
> > ports).[color=darkred]
> >> Shannon
> >>[/color]
> >
> > "Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
> > news:01110d0c$0$20616$c3e8da3@news.astraweb.com...[color=darkred]
> >> yyyc186 wrote:
> >>> The Minimum You Need to Know About Service Orieted Architecture by
> >>> Roland Hughes
> >>>
> >>> Award-Winner in the Business: Technology/Computers/Internet category
> >>> of the National Best Books 2008 Awards, sponsored by USA Book News
> >> Congratulations Roland!
> >>
> >> (I purchased it when AU$ was almost at US$ parity :-)
> >>
> >>> You can find this book in Island Computer's Web store.[/color][/color][/color]
10-29-2008, 10:01 AM
unix

Re: Banana Republic (was Re: OpenVMS Book Wins award)

Richard Maher wrote:[color=blue]
> Hi Mark,
>
> Thanks for the reply.
>[color=green]
>> I bought it through Barnes and Noble in late May '08 for US$36.00 plus
>> US$13.00 P&P, and I think my credit card statement said something like
>> AU$52.00 so it was right at the 'peak'. Why the AU$ currently should be
>> at US$0.65 now escapes me - perhaps that's one reason I'm still working
>> for wages.[/color]
>
> I looked seriously at Perth Mint gold in August (when the bank deposit
> guarantee was sweet FA) and Foreign Currency accounts aren't as common here
> as they are in the UK. Either way I would (and have) lost big time - but
> haven't we all :-(
>[color=green]
>> That any network connectivity has some sandboxing doesn't exactly
>> surprise me.[/color]
>
> Me either! I'm a big fan of the same-origin, or codebase, policy for Applets
> but these guys just want to keep pushing the envelope.[/color]

I noted the post on Adobe policy files.
[color=blue][color=green]
>> A network conduit (like SSH or HTTP CONNECT) is carte
>> blanche for whatever the agent wishes to transfer. No constraint would
>> be considered negligence.[/color]
>
> Yeah, but here I bow[/color]

;-)
[color=blue]
> to your much greater experience and ask "What the hell
> can a *Socket not HTTP* proxy-server do for me?".[/color]

Isn't a(n IP) socket proxy that doesn't explicitly talk HTTP during
setup a one-to-one NAT router? And if accepting external connection
requests, a static port mapping NAT router, into/through the DMZ and
onto internal services? And so forth through the NAT variants.
[color=blue]
> Look I wanted a HTTP
> CONNECT handshake to give me a Tunnel for my Socket over a httpS connection
> to an arbitray TCP/IP server, but it doesn't look doable; please advise.[/color]

I can but reframe my previous comment; unconstrained connectivity from
browser based applications is surely like signing a full book of blank
cheques.
[color=blue]
> I also view with interest what the Comet guys are doing with Orbited (see
> [url]www.cometdaily.com[/url] for some background) as they don't seem to be bound by
> (or have already solved) these proxy-server restrictions.[/color]

AIUI; Orbited is a service used to accept Web-style socket connection
requests from browsers, establish Comet-style, bidirectional
communication with the browser, then proxy (or forward, or gateway, or
<whatever-you-feel-comfortable-describing-it-as>) that communication via
a TCP socket to the requested end-point. Without some sort of access
control it functions as an open relay - carte blanche. With access
control it's a lot like most CONNECT proxy, or at least CONNECT
reverse-proxy. Of course it's a bit more than that (but isn't
everything!) Until Web Sockets become commonplace it uses a number of
approaches to *emulate* asynchronous comms with current browsers.

AIUI; Comet is a broad term used to described leveraging HTTP
server-push of unsolicited/unpolled/asynchronous data to the browser,
using existing HTTP technologies, most commonly, though not restricted
to, streaming of a series individual response data 'inside' a persisting
HTTP connection, currently via 'long polling' and XMLhttpRequest() or
<script> tag instances. It's a compromise hack. Not perfect but it
works. Of course it's more than this (but then isn't everything!)
Undoubtably it will(/is) develop(ing) to encompass Web Sockets, etc.

Both are broad, evolving concepts and implementations.

FYIW; I have an (as-yet) unpublished Web application displaying
elementary graphs of $GETRMI (monitor) data. It uses a Comet-style
<IFRAME> and streaming long-poll. When system data changes it generates
a <script>ed function call into browser JavaScript that supplies data
values which the application JavaScript then graphs or displays. One
buffered I/O of a few tens to a few hundreds of bytes (depending on what
data have changed) per sample period. Negligible CPU ticks. Not
full-duplex but not synchronous-poll either.
[color=blue][color=green]
>> I'm guessing you mention this because the suggestion below that
>>
>> "that the time could be better spent providing guidelines for
>> communication via an asynchronous CGI [originally I read GUI :-]
>> interface."
>>
>> sounds remarkably like Tier3 :-)[/color]
>
> Damn, I'm as transparent and one-domensional as usual :-)
>
> The way I see it is we have two camps (and I'm happy to live with the
> pluralism and think there's enough room for everyone).
>
> 1) The WebSockets http/html5 guys who have the distinct (and only) advantage
> of being able to tunnel out of 80/443 as HTTP[/color]

If you mean, provide asynchronous (event triggered), binary (non-HTTP)
comms using these ports then yes. Of course there is no reason why the
services requested over these ports cannot further proxy the binary to
TCP anything-configured. IMO the bottom line is (again) access-control.
Whether this is the lone advantage is moot.

Of course Web Sockets require specialised server (and proxy server) as
well as client (browser) support.

The WASD mudmap includes Web Sockets server support (either 10.0 in
mid-'09, or 10.1 in mid-'10). Perhaps once HTML5 moves from draft :-}
[color=blue]
> 2) The New Order of full-blown, connection-oriented, full-duplex, binary,
> Socket Interaction[/color]

No doubt this will be remarkably versatile in the absence of sandboxing,
with many-and-varied conduits established between user's browsers and
all manner of 'services'.
[color=blue]
> If Sockets can't traverse public proxy-servers with existing HTTP then
> option 1 is no longer on the table as far as I can see?[/color]

This one has lost me but I'll have a go at two of the possible intents:

1) If you mean Web Sockets can't through existing HTTP proxy then the
answer seems to me that they are designed to do just that. Web Sockets
behind proxy servers know it and appropriately CONNECT to tunnel.

2) If you mean TCP sockets can't then no, unless they speak the
application-level protocol required by the proxy (which would make them
Web Sockets for all intents and purposes :-)
[color=blue]
> Anyway, please let me ask the question of why anyone would want to use a
> proxy-server for Socket communication?
>
> . Socket Cacheing - No Thanks[/color]

Difficult to cache without meta-data.
[color=blue]
> . Limited client IP addresses - IPV6[/color]

Still a ways off. And there's always the private/public address thingy.
[color=blue]
> . Anonymity - Not always a good thing[/color]

Internal opacity usually is a good thing.
[color=blue]
> . Firewall - Open up connections to/from valid hosts/ports[/color]

Access control usually is a good thing.
[color=blue]
> . Monitoring/filtering - Requirements spec for binary data[/color]

Many organisations have a legal requirement to audit their activities.
Certainly mine does.

BFN, Mark.
[color=blue]
> Cheers Richard Maher
>
> "Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
> news:011308d4$0$20645$c3e8da3@news.astraweb.com...[color=green]
>> Richard Maher wrote:[color=darkred]
>>> Hi Mark,
>>>
>>>> (I purchased it when AU$ was almost at US$ parity :-)
>>> Aaah, it seems like only weeks ago :-([/color]
>> I bought it through Barnes and Noble in late May '08 for US$36.00 plus
>> US$13.00 P&P, and I think my credit card statement said something like
>> AU$52.00 so it was right at the 'peak'. Why the AU$ currently should be
>> at US$0.65 now escapes me - perhaps that's one reason I'm still working
>> for wages.
>>
>> It was a good 'background' read but not directly applicable to my
>> daytime duty statement these days. I had not (as I indicated to Roland
>> I might) gotten around to a public review (that would have required a
>> second read). Willem Grooters provided one I'd generally endorse.
>>
>> At around the same time I purchased Heller's, "Catch 22" (shipped to one
>> of my daughters), Earl's, "Digital Equipment Corporation (MA) (Images
>> of America)", and Schein's, "DEC Is Dead, Long Live DEC"; all good
>> reads and all for different reasons. With the exchange rate more like
>> 2:3 I might have to think think more carefully. (The Earl soft-cover is
>> a particularly easy but also interesting 'read' I'd recommend to all
>> interested in DEC :-)
>>[color=darkred]
>>> Cheers Richard Maher
>>>
>>> PS. Just in case you don't subscribe to the WHATWG mailing list, do you[/color][/color]
> have[color=green][color=darkred]
>>> any interest in, or opinions on the following: -[/color]
>> No I don't and indirectly I guess I do.
>>
>> That any network connectivity has some sandboxing doesn't exactly
>> surprise me. A network conduit (like SSH or HTTP CONNECT) is carte
>> blanche for whatever the agent wishes to transfer. No constraint would
>> be considered negligence.
>>
>> I'm guessing you mention this because the suggestion below that
>>
>> "that the time could be better spent providing guidelines for
>> communication via an asynchronous CGI [originally I read GUI :-]
>> interface."
>>
>> sounds remarkably like Tier3 :-)
>>
>> I agree; why would anyone spend time abstracting interfaces if a
>> monolithic solution is all that is currently required? Of course this
>> is an entirely fresh (if not novel) discussion point ...
>>[color=darkred]
>>> ----- Original Message -----
>>> From: "Shannon"
>>> To: "WHAT working group" >
>>> Sent: Tuesday, October 14, 2008 7:22 AM
>>> Subject: [whatwg] WebSocket and proxies
>>>
>>>
>>>> In the process of testing my WebSocket proposal I discovered the[/color][/color]
> CONNECT[color=green][color=darkred]
>>>> method has a major restriction. Most proxies disable CONNECT to[/color][/color]
> anything[color=green][color=darkred]
>>>> but port 443.
>>>>
>>>> The following is from "Squid and the Blowfish":
>>>> ------------------
>>>> It is very important that you stop CONNECT type requests to non-SSL
>>>> ports. The CONNECT method allows data transfer in any direction at any
>>>> time, regardless of the transport protocol used. As a consequence, a
>>>> malicious user could telnet(1) to a (very) badly configured proxy,[/color][/color]
> enter[color=green][color=darkred]
>>>> something like:
>>>> ... snip example ...
>>>> and end up connected to the remote server, as if the connection was
>>>> originated by the proxy.
>>>> -------------------
>>>>
>>>> I verified that Squid and all public proxies I tried disable CONNECT by
>>>> default to non-SSL ports. It's unlikely many internet hosts will have
>>>> 443 available for WebSockets if they also run a webserver. It could be
>>>> done with virtual IPs or dedicated hosts but this imposes complex
>>>> requirements and costs over alternatives like CGI.
>>>>
>>>> The availability and capabilities of the OPTIONS and GET protocols also
>>>> varied from proxy to proxy. The IETF draft related to TLS
>>>> ([url]http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05[/url]) has this to
>>> say:
>>>> -------------------
>>>> 3.2 Mandatory Upgrade
>>>>
>>>> If an unsecured response would be unacceptable, a client MUST send
>>>> an OPTIONS request first to complete the switch to TLS/1.0 (if
>>>> possible).
>>>>
>>>> OPTIONS * HTTP/1.1
>>>> Host: example.bank.com
>>>> Upgrade: TLS/1.0
>>>> Connection: Upgrade
>>>> -------------------
>>>>
>>>> So according to this draft spec OPTIONS is the only way to do a
>>>> *mandatory* upgrade of our connection. Once again this failed in[/color][/color]
> testing[color=green][color=darkred]
>>>> -------------------
>>>> => OPTIONS * HTTP/1.1
>>>> => Proxy-Connection: keep-alive
>>>> => Connection: Upgrade
>>>> => Upgrade: WebSocket/1.0
>>>> => Host: warriorhut.org:8000
>>>> =>
>>>> <= HTTP/1.0 400 Bad Request
>>>> <= Server: squid/3.0.STABLE8
>>>> --------------------
>>>>
>>>> Other proxies gave different errors or simply returned nothing. The
>>>> problem may be related to the Upgrade and Connection headers rather[/color][/color]
> than[color=green][color=darkred]
>>>> OPTIONS, since I had similar issues using Connection: Upgrade with GET.
>>>>
>>>> I had the most success using GET without a Connection: Upgrade header.
>>>> It seems that the proxy thinks the header is directed at it so it does
>>>> not pass it on to the remote host. In many cases it will abort the
>>>> connection. Using the Upgrade: header without Connection allows the
>>>> Upgrade header through to the actual websocket service.
>>>>
>>>> It seems to me that whatever we try in many cases the connection will[/color][/color]
> be[color=green][color=darkred]
>>>> silently dropped by the proxy and the reasons will be unclear due to[/color][/color]
> the[color=green][color=darkred]
>>>> lack of error handling. There seems to be a wide variation in proxy
>>>> behaviour for uncommon operations. I suppose proxy developers could fix
>>>> these issues but whether a significant rollout could be achieved before
>>>> HTML5 is released is questionable.
>>>>
>>>> Given that an asynchronous connection cannot be cached the only reasons
>>>> remaining for going through a proxy are anonymity and firewall
>>>> traversal. Automatically bypassing the users proxy configuration to
>>>> solve the issues above has the potential to break both of these. It
>>>> would be a significant breach of trust for a UA to bypass the users
>>>> proxy and some networks only allow connections via a proxy (for[/color][/color]
> security[color=green][color=darkred]
>>>> and monitoring).
>>>>
>>>> It seems that we're stuck between a rock and hard place here. In light
>>>> of this I reiterate my earlier suggestion that the time could be better
>>>> spent providing guidelines for communication via an asynchronous CGI
>>>> interface. This would allow reuse of existing port 80 and 443 web
>>>> services which would resolve the cross-domain issues (the CGI can relay
>>>> the actual service via a backend connection) and most of the proxy
>>>> issues above (since proxy GET and CONNECT are more reliable on these
>>> ports).
>>>> Shannon
>>>>
>>> "Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
>>> news:01110d0c$0$20616$c3e8da3@news.astraweb.com...
>>>> yyyc186 wrote:
>>>>> The Minimum You Need to Know About Service Orieted Architecture by
>>>>> Roland Hughes
>>>>>
>>>>> Award-Winner in the Business: Technology/Computers/Internet category
>>>>> of the National Best Books 2008 Awards, sponsored by USA Book News
>>>> Congratulations Roland!
>>>>
>>>> (I purchased it when AU$ was almost at US$ parity :-)
>>>>
>>>>> You can find this book in Island Computer's Web store.[/color][/color]
>
>[/color]
10-29-2008, 11:24 AM
unix

OpenVMS Book Wins award

On Oct 20, 1:36*pm, yyyc186 <yyyc...@hughes.net> wrote:[color=blue]
> The Minimum You Need to Know About Service Orieted Architecture by
> Roland Hughes
>
> Award-Winner in the Business: Technology/Computers/Internet category
> of the National Best Books 2008 Awards, sponsored by USA Book News
>
> You can find this book in Island Computer's Web store.
>[/color]

We've purchased at least two copies of each one of Roland Hughes'
books as office resources. Sometimes we OpenVMS developers (who
usually have a little snow on the chimney) need a book like "The
Minimum You Need to Know About Service Oriented Architecture" just to
be able to translate the current world of false promises into OpenVMS
reality.

Neil Rieck
Kitchener/Waterloo/Cambridge,
Ontario, Canada.
[url]http://www3.sympatico.ca/n.rieck/[/url]
[url]http://www3.sympatico.ca/n.rieck/OpenVMS.html[/url]
11-09-2008, 12:10 AM
unix

Re: Banana Republic (was Re: OpenVMS Book Wins award)

Hi Mark,

Thanks for the reply. (Sorry for the delay)
[color=blue]
> I noted the post on Adobe policy files.[/color]

I think the HTML5 people ignore policy-files at their peril. (Not that they
seem to care as their world is all HTTP-shaped with no end of lovely
"headers")
[color=blue]
> [Orbited] Without some sort of access
> control it functions as an open relay - carte blanche.[/color]

I haven't used it but I believe they have some sort of white-list.
[color=blue]
> Both are broad, evolving concepts and implementations.[/color]

Unlike TCP/IP and/or UDP Sockets with Java that have been around since year
dot. (Ok, sandboxed or signed up until now)
[color=blue]
> FYIW; I have an (as-yet) unpublished Web application displaying
> elementary graphs of $GETRMI (monitor) data. It uses a Comet-style
> <IFRAME> and streaming long-poll. When system data changes it generates
> a <script>ed function call into browser JavaScript that supplies data
> values which the application JavaScript then graphs or displays. One
> buffered I/O of a few tens to a few hundreds of bytes (depending on what
> data have changed) per sample period. Negligible CPU ticks. Not
> full-duplex but not synchronous-poll either.[/color]

Look, polling is anathema to me but when it comes to System Stats or
RMU/SHOW STATS etc, I don't have that much of a problem with it. I mean to
try to fire off an event every time something happens on a system or a
database might generate a bit of a flood. And each users might like to set
their own "sample" (or poll) interval?

Anyway, I understand it's "How your example works" rather than "What it's
doing" that's important. Sounds interesting, I look forward to seeing it.

Though, one thing I have been curious about with Comet (and possibly your
example) is what is the server thread/process doing while it's waiting for
(say Stock Price for FMG to change or to move past some limit(s)) Is this
thread/process serving *all* clients or is there a 1:1 relationship? How is
the connection-state and context maintained between the producing-service(s)
and the consuming client? Is the thread/process unavailable for servicing
other requests while it's streaming its long-poll (or words to that effect
:-)
[color=blue]
> If you mean, provide asynchronous (event triggered), binary (non-HTTP)
> comms using these ports then yes. Of course there is no reason why the
> services requested over these ports cannot further proxy the binary to
> TCP anything-configured. IMO the bottom line is (again) access-control.
> Whether this is the lone advantage is moot.[/color]

But I thought this is what the mail from Shannon of the WHATWG (in my
earlier post) describes as problematic? - I'm confused.
[color=blue][color=green]
> > If Sockets can't traverse public proxy-servers with existing HTTP then
> > option 1 is no longer on the table as far as I can see?[/color]
>
> This one has lost me but I'll have a go at two of the possible intents:
>
> 1) If you mean Web Sockets can't through existing HTTP proxy then the
> answer seems to me that they are designed to do just that. Web Sockets
> behind proxy servers know it and appropriately CONNECT to tunnel.[/color]

I thought that's what Shannon was saying was problematic as they do go
through, but all roads lead to 443?

Cheers Richard Maher

"Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
news:0118206d$0$20660$c3e8da3@news.astraweb.com...[color=blue]
> Richard Maher wrote:[color=green]
> > Hi Mark,
> >
> > Thanks for the reply.
> >[color=darkred]
> >> I bought it through Barnes and Noble in late May '08 for US$36.00 plus
> >> US$13.00 P&P, and I think my credit card statement said something like
> >> AU$52.00 so it was right at the 'peak'. Why the AU$ currently should[/color][/color][/color]
be[color=blue][color=green][color=darkred]
> >> at US$0.65 now escapes me - perhaps that's one reason I'm still working
> >> for wages.[/color]
> >
> > I looked seriously at Perth Mint gold in August (when the bank deposit
> > guarantee was sweet FA) and Foreign Currency accounts aren't as common[/color][/color]
here[color=blue][color=green]
> > as they are in the UK. Either way I would (and have) lost big time - but
> > haven't we all :-(
> >[color=darkred]
> >> That any network connectivity has some sandboxing doesn't exactly
> >> surprise me.[/color]
> >
> > Me either! I'm a big fan of the same-origin, or codebase, policy for[/color][/color]
Applets[color=blue][color=green]
> > but these guys just want to keep pushing the envelope.[/color]
>
> I noted the post on Adobe policy files.
>[color=green][color=darkred]
> >> A network conduit (like SSH or HTTP CONNECT) is carte
> >> blanche for whatever the agent wishes to transfer. No constraint would
> >> be considered negligence.[/color]
> >
> > Yeah, but here I bow[/color]
>
> ;-)
>[color=green]
> > to your much greater experience and ask "What the hell
> > can a *Socket not HTTP* proxy-server do for me?".[/color]
>
> Isn't a(n IP) socket proxy that doesn't explicitly talk HTTP during
> setup a one-to-one NAT router? And if accepting external connection
> requests, a static port mapping NAT router, into/through the DMZ and
> onto internal services? And so forth through the NAT variants.
>[color=green]
> > Look I wanted a HTTP
> > CONNECT handshake to give me a Tunnel for my Socket over a httpS[/color][/color]
connection[color=blue][color=green]
> > to an arbitray TCP/IP server, but it doesn't look doable; please advise.[/color]
>
> I can but reframe my previous comment; unconstrained connectivity from
> browser based applications is surely like signing a full book of blank
> cheques.
>[color=green]
> > I also view with interest what the Comet guys are doing with Orbited[/color][/color]
(see[color=blue][color=green]
> > [url]www.cometdaily.com[/url] for some background) as they don't seem to be bound[/color][/color]
by[color=blue][color=green]
> > (or have already solved) these proxy-server restrictions.[/color]
>
> AIUI; Orbited is a service used to accept Web-style socket connection
> requests from browsers, establish Comet-style, bidirectional
> communication with the browser, then proxy (or forward, or gateway, or
> <whatever-you-feel-comfortable-describing-it-as>) that communication via
> a TCP socket to the requested end-point. Without some sort of access
> control it functions as an open relay - carte blanche. With access
> control it's a lot like most CONNECT proxy, or at least CONNECT
> reverse-proxy. Of course it's a bit more than that (but isn't
> everything!) Until Web Sockets become commonplace it uses a number of
> approaches to *emulate* asynchronous comms with current browsers.
>
> AIUI; Comet is a broad term used to described leveraging HTTP
> server-push of unsolicited/unpolled/asynchronous data to the browser,
> using existing HTTP technologies, most commonly, though not restricted
> to, streaming of a series individual response data 'inside' a persisting
> HTTP connection, currently via 'long polling' and XMLhttpRequest() or
> <script> tag instances. It's a compromise hack. Not perfect but it
> works. Of course it's more than this (but then isn't everything!)
> Undoubtably it will(/is) develop(ing) to encompass Web Sockets, etc.
>
> Both are broad, evolving concepts and implementations.
>
> FYIW; I have an (as-yet) unpublished Web application displaying
> elementary graphs of $GETRMI (monitor) data. It uses a Comet-style
> <IFRAME> and streaming long-poll. When system data changes it generates
> a <script>ed function call into browser JavaScript that supplies data
> values which the application JavaScript then graphs or displays. One
> buffered I/O of a few tens to a few hundreds of bytes (depending on what
> data have changed) per sample period. Negligible CPU ticks. Not
> full-duplex but not synchronous-poll either.
>[color=green][color=darkred]
> >> I'm guessing you mention this because the suggestion below that
> >>
> >> "that the time could be better spent providing guidelines for
> >> communication via an asynchronous CGI [originally I read GUI :-]
> >> interface."
> >>
> >> sounds remarkably like Tier3 :-)[/color]
> >
> > Damn, I'm as transparent and one-domensional as usual :-)
> >
> > The way I see it is we have two camps (and I'm happy to live with the
> > pluralism and think there's enough room for everyone).
> >
> > 1) The WebSockets http/html5 guys who have the distinct (and only)[/color][/color]
advantage[color=blue][color=green]
> > of being able to tunnel out of 80/443 as HTTP[/color]
>
> If you mean, provide asynchronous (event triggered), binary (non-HTTP)
> comms using these ports then yes. Of course there is no reason why the
> services requested over these ports cannot further proxy the binary to
> TCP anything-configured. IMO the bottom line is (again) access-control.
> Whether this is the lone advantage is moot.
>
> Of course Web Sockets require specialised server (and proxy server) as
> well as client (browser) support.
>
> The WASD mudmap includes Web Sockets server support (either 10.0 in
> mid-'09, or 10.1 in mid-'10). Perhaps once HTML5 moves from draft :-}
>[color=green]
> > 2) The New Order of full-blown, connection-oriented, full-duplex,[/color][/color]
binary,[color=blue][color=green]
> > Socket Interaction[/color]
>
> No doubt this will be remarkably versatile in the absence of sandboxing,
> with many-and-varied conduits established between user's browsers and
> all manner of 'services'.
>[color=green]
> > If Sockets can't traverse public proxy-servers with existing HTTP then
> > option 1 is no longer on the table as far as I can see?[/color]
>
> This one has lost me but I'll have a go at two of the possible intents:
>
> 1) If you mean Web Sockets can't through existing HTTP proxy then the
> answer seems to me that they are designed to do just that. Web Sockets
> behind proxy servers know it and appropriately CONNECT to tunnel.
>
> 2) If you mean TCP sockets can't then no, unless they speak the
> application-level protocol required by the proxy (which would make them
> Web Sockets for all intents and purposes :-)
>[color=green]
> > Anyway, please let me ask the question of why anyone would want to use a
> > proxy-server for Socket communication?
> >
> > . Socket Cacheing - No Thanks[/color]
>
> Difficult to cache without meta-data.
>[color=green]
> > . Limited client IP addresses - IPV6[/color]
>
> Still a ways off. And there's always the private/public address thingy.
>[color=green]
> > . Anonymity - Not always a good thing[/color]
>
> Internal opacity usually is a good thing.
>[color=green]
> > . Firewall - Open up connections to/from valid hosts/ports[/color]
>
> Access control usually is a good thing.
>[color=green]
> > . Monitoring/filtering - Requirements spec for binary data[/color]
>
> Many organisations have a legal requirement to audit their activities.
> Certainly mine does.
>
> BFN, Mark.
>[color=green]
> > Cheers Richard Maher
> >
> > "Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
> > news:011308d4$0$20645$c3e8da3@news.astraweb.com...[color=darkred]
> >> Richard Maher wrote:
> >>> Hi Mark,
> >>>
> >>>> (I purchased it when AU$ was almost at US$ parity :-)
> >>> Aaah, it seems like only weeks ago :-(
> >> I bought it through Barnes and Noble in late May '08 for US$36.00 plus
> >> US$13.00 P&P, and I think my credit card statement said something like
> >> AU$52.00 so it was right at the 'peak'. Why the AU$ currently should[/color][/color][/color]
be[color=blue][color=green][color=darkred]
> >> at US$0.65 now escapes me - perhaps that's one reason I'm still working
> >> for wages.
> >>
> >> It was a good 'background' read but not directly applicable to my
> >> daytime duty statement these days. I had not (as I indicated to Roland
> >> I might) gotten around to a public review (that would have required a
> >> second read). Willem Grooters provided one I'd generally endorse.
> >>
> >> At around the same time I purchased Heller's, "Catch 22" (shipped to[/color][/color][/color]
one[color=blue][color=green][color=darkred]
> >> of my daughters), Earl's, "Digital Equipment Corporation (MA) (Images
> >> of America)", and Schein's, "DEC Is Dead, Long Live DEC"; all good
> >> reads and all for different reasons. With the exchange rate more like
> >> 2:3 I might have to think think more carefully. (The Earl soft-cover[/color][/color][/color]
is[color=blue][color=green][color=darkred]
> >> a particularly easy but also interesting 'read' I'd recommend to all
> >> interested in DEC :-)
> >>
> >>> Cheers Richard Maher
> >>>
> >>> PS. Just in case you don't subscribe to the WHATWG mailing list, do[/color][/color][/color]
you[color=blue][color=green]
> > have[color=darkred]
> >>> any interest in, or opinions on the following: -
> >> No I don't and indirectly I guess I do.
> >>
> >> That any network connectivity has some sandboxing doesn't exactly
> >> surprise me. A network conduit (like SSH or HTTP CONNECT) is carte
> >> blanche for whatever the agent wishes to transfer. No constraint would
> >> be considered negligence.
> >>
> >> I'm guessing you mention this because the suggestion below that
> >>
> >> "that the time could be better spent providing guidelines for
> >> communication via an asynchronous CGI [originally I read GUI :-]
> >> interface."
> >>
> >> sounds remarkably like Tier3 :-)
> >>
> >> I agree; why would anyone spend time abstracting interfaces if a
> >> monolithic solution is all that is currently required? Of course this
> >> is an entirely fresh (if not novel) discussion point ...
> >>
> >>> ----- Original Message -----
> >>> From: "Shannon"
> >>> To: "WHAT working group" >
> >>> Sent: Tuesday, October 14, 2008 7:22 AM
> >>> Subject: [whatwg] WebSocket and proxies
> >>>
> >>>
> >>>> In the process of testing my WebSocket proposal I discovered the[/color]
> > CONNECT[color=darkred]
> >>>> method has a major restriction. Most proxies disable CONNECT to[/color]
> > anything[color=darkred]
> >>>> but port 443.
> >>>>
> >>>> The following is from "Squid and the Blowfish":
> >>>> ------------------
> >>>> It is very important that you stop CONNECT type requests to non-SSL
> >>>> ports. The CONNECT method allows data transfer in any direction at[/color][/color][/color]
any[color=blue][color=green][color=darkred]
> >>>> time, regardless of the transport protocol used. As a consequence, a
> >>>> malicious user could telnet(1) to a (very) badly configured proxy,[/color]
> > enter[color=darkred]
> >>>> something like:
> >>>> ... snip example ...
> >>>> and end up connected to the remote server, as if the connection was
> >>>> originated by the proxy.
> >>>> -------------------
> >>>>
> >>>> I verified that Squid and all public proxies I tried disable CONNECT[/color][/color][/color]
by[color=blue][color=green][color=darkred]
> >>>> default to non-SSL ports. It's unlikely many internet hosts will have
> >>>> 443 available for WebSockets if they also run a webserver. It could[/color][/color][/color]
be[color=blue][color=green][color=darkred]
> >>>> done with virtual IPs or dedicated hosts but this imposes complex
> >>>> requirements and costs over alternatives like CGI.
> >>>>
> >>>> The availability and capabilities of the OPTIONS and GET protocols[/color][/color][/color]
also[color=blue][color=green][color=darkred]
> >>>> varied from proxy to proxy. The IETF draft related to TLS
> >>>> ([url]http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05[/url]) has this[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> >>> say:
> >>>> -------------------
> >>>> 3.2 Mandatory Upgrade
> >>>>
> >>>> If an unsecured response would be unacceptable, a client MUST send
> >>>> an OPTIONS request first to complete the switch to TLS/1.0 (if
> >>>> possible).
> >>>>
> >>>> OPTIONS * HTTP/1.1
> >>>> Host: example.bank.com
> >>>> Upgrade: TLS/1.0
> >>>> Connection: Upgrade
> >>>> -------------------
> >>>>
> >>>> So according to this draft spec OPTIONS is the only way to do a
> >>>> *mandatory* upgrade of our connection. Once again this failed in[/color]
> > testing[color=darkred]
> >>>> -------------------
> >>>> => OPTIONS * HTTP/1.1
> >>>> => Proxy-Connection: keep-alive
> >>>> => Connection: Upgrade
> >>>> => Upgrade: WebSocket/1.0
> >>>> => Host: warriorhut.org:8000
> >>>> =>
> >>>> <= HTTP/1.0 400 Bad Request
> >>>> <= Server: squid/3.0.STABLE8
> >>>> --------------------
> >>>>
> >>>> Other proxies gave different errors or simply returned nothing. The
> >>>> problem may be related to the Upgrade and Connection headers rather[/color]
> > than[color=darkred]
> >>>> OPTIONS, since I had similar issues using Connection: Upgrade with[/color][/color][/color]
GET.[color=blue][color=green][color=darkred]
> >>>>
> >>>> I had the most success using GET without a Connection: Upgrade[/color][/color][/color]
header.[color=blue][color=green][color=darkred]
> >>>> It seems that the proxy thinks the header is directed at it so it[/color][/color][/color]
does[color=blue][color=green][color=darkred]
> >>>> not pass it on to the remote host. In many cases it will abort the
> >>>> connection. Using the Upgrade: header without Connection allows the
> >>>> Upgrade header through to the actual websocket service.
> >>>>
> >>>> It seems to me that whatever we try in many cases the connection will[/color]
> > be[color=darkred]
> >>>> silently dropped by the proxy and the reasons will be unclear due to[/color]
> > the[color=darkred]
> >>>> lack of error handling. There seems to be a wide variation in proxy
> >>>> behaviour for uncommon operations. I suppose proxy developers could[/color][/color][/color]
fix[color=blue][color=green][color=darkred]
> >>>> these issues but whether a significant rollout could be achieved[/color][/color][/color]
before[color=blue][color=green][color=darkred]
> >>>> HTML5 is released is questionable.
> >>>>
> >>>> Given that an asynchronous connection cannot be cached the only[/color][/color][/color]
reasons[color=blue][color=green][color=darkred]
> >>>> remaining for going through a proxy are anonymity and firewall
> >>>> traversal. Automatically bypassing the users proxy configuration to
> >>>> solve the issues above has the potential to break both of these. It
> >>>> would be a significant breach of trust for a UA to bypass the users
> >>>> proxy and some networks only allow connections via a proxy (for[/color]
> > security[color=darkred]
> >>>> and monitoring).
> >>>>
> >>>> It seems that we're stuck between a rock and hard place here. In[/color][/color][/color]
light[color=blue][color=green][color=darkred]
> >>>> of this I reiterate my earlier suggestion that the time could be[/color][/color][/color]
better[color=blue][color=green][color=darkred]
> >>>> spent providing guidelines for communication via an asynchronous CGI
> >>>> interface. This would allow reuse of existing port 80 and 443 web
> >>>> services which would resolve the cross-domain issues (the CGI can[/color][/color][/color]
relay[color=blue][color=green][color=darkred]
> >>>> the actual service via a backend connection) and most of the proxy
> >>>> issues above (since proxy GET and CONNECT are more reliable on these
> >>> ports).
> >>>> Shannon
> >>>>
> >>> "Mark Daniel" <mark.daniel@vsm.com.au> wrote in message
> >>> news:01110d0c$0$20616$c3e8da3@news.astraweb.com...
> >>>> yyyc186 wrote:
> >>>>> The Minimum You Need to Know About Service Orieted Architecture by
> >>>>> Roland Hughes
> >>>>>
> >>>>> Award-Winner in the Business: Technology/Computers/Internet category
> >>>>> of the National Best Books 2008 Awards, sponsored by USA Book News
> >>>> Congratulations Roland!
> >>>>
> >>>> (I purchased it when AU$ was almost at US$ parity :-)
> >>>>
> >>>>> You can find this book in Island Computer's Web store.[/color]
> >
> >[/color][/color]