Applications can make use of Content-Disposition Header and not violate
AS1,2 (and I think 3) but this is not specifically and explicitly
mentioned in the applicability statements. It is certainly not mandated
behavior and implementations should not depend on the behavior to
interoperate.
Historically, there were security concerns about threats/exploits when
not checking filenames (and especially filenames with a full path). Kyle
also points out that there are not overwhelmingly convincing use cases
for letting/requiring the partner saying what the filename should be on
the system. Early experience back in the late 90s with AS1 showed that
implementations were not always good about using unique filenames; so
operational problems of clobbering data could show up for incautious
implementations. The safest bet when implementing was to have the
receiver ensure no-clobbering, and an easy way to do that was to just
ignore the suggested filenames.
I am unconvinced we should open this up again without clear and
persuasive end-user requirements for why this functionality is needed.
Dale Moberg
-----Original Message-----
From: owner-ietf-ediint@xxxxxxxxxxxx
[mailto:owner-ietf-ediint@xxxxxxxxxxxx] On Behalf Of Kyle Meadors
Sent: Friday, April 01, 2005 3:39 PM
To: 'Dmitry Dolinsky'; ietf-ediint@xxxxxxx
Subject: RE: Filename in AS2 messages
Dmitry,
Generally, I did not consider filenames of EDI/XML payloads to be
significant in themselves. The information in the EDI interchanges is
not
treated differently because of the filename. What would be the benefit
of
your trading partner knowing the filename?
Kyle Meadors
DGI
-----Original Message-----
From: owner-ietf-ediint@xxxxxxxxxxxx
[mailto:owner-ietf-ediint@xxxxxxxxxxxx]
On Behalf Of Dmitry Dolinsky
Sent: Thursday, March 24, 2005 8:28 PM
To: ietf-ediint@xxxxxxx
Subject: Filename in AS2 messages
I'd like to clarify how the filenames are expected to be communicated in
AS2. Since AS2 data is represented by MIME body, the implication is that
Content-Disposition header can be used for that purpose.
Is this a correct assumption?
If so, it would be great if AS2 spec made an explicit reference to
RFC-2183
(update of rfc1806) "Communicating Presentation Information in Internet
Messages: The Content-Disposition Header Field" with respect to AS2
filename. I've noticed that the header is included in the samples that
accompany the specification but making it explicit would improve
interoperability.
Also, as a practical question, do current AS2 implementation include
Content-Disposition header with filename parameter when sending and look
for it when receiving as far as people know?
Thank you.
Dmitry Dolinsky
Tumbleweed Communications Corp.
"Tumbleweed E-mail Firewall <tumbleweed.com>" made the following
annotations on 03/24/05 18:34:12
------------------------------------------------------------------------
----
--
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity to
which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that
any dissemination, distribution or copying of this e-mail is prohibited.
If
you have received this e-mail in error, please notify the sender by
replying
to this message and delete this e-mail immediately.
========================================================================
====
==
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.4 - Release Date: 3/18/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.6 - Release Date: 3/30/2005
|
