UWS as a REST protocol

[Guy Rixon]

Matthew,

AFAIK, you can use a proxy cert in a browser and everything is fine. It's the
server that has to adapt to the proxy details.  I'll report back on that soon
(certainly before the next Interop) when I have some practical experience.

Cheers,
Guy

On Mon, 26 Feb 2007, Matthew Graham wrote:

> Hi,
>
> That's a good point and delete is probably one of the operations where
> you really do want some degree of security. I have used TLS with NVO
> proxy certificates with no problem - although I think this was just a
> programmatic client and not a browser.
>
>     Cheers,
>
>     Matthew
>
> Guy Rixon wrote:
> > Hi Matthew,
> >
> > I can't see how to do message-level security for HTTP-delete; there's nothing
> > to sign or encrypt other than the transport details. In general, I think we
> > are OK for TLS; but I want to see it working with proxy certificates.
> >
> > Cheers,
> > Guy
> >
> > On Mon, 26 Feb 2007, Matthew Graham wrote:
> >
> >
> >> Hi Guy,
> >>
> >> I think that this looks very promising and is line with similar thoughts
> >> that I have had about a RESTful interface for VOSpace - I've started
> >> writing these up and will hopefully have time to finish this some time
> >> soon.
> >>
> >> One general comment I have is that if we are going to do REST then let's
> >> do it properly and make proper use of the full HTTP verbs: GET, PUT,
> >> POST and DELETE. These are fully supported under HTTP v1.1 and any
> >> programming language worth its salt can handle them. The issue as you
> >> note is browser support but rich web clients will be based on JavaScript
> >> or Ruby or something similar which can also handle these.
> >>
> >> My other concern is security. With SOAP-based web services we have
> >> WS-Security to make us feel comfortable that we are safe; with REST, the
> >> only real "security standard" is HTTPS - are we happy that this is
> >> sufficient? I'm unhappy about relying on transport-level security but
> >> the only alternative is that we invent some message-level security
> >> mechanism of our own for IVOA REST services: note that the Amazon S3
> >> service does not regard HTTPS as sufficient and has its own
> >> message-level security.
> >>
> >>     Cheers,
> >>
> >>     Matthew
> >>
> >> Guy Rixon wrote:
> >>
> >>> Hi,
> >>>
> >>> there has been a lot of debate recently in the industry about SOAP vs. REST as
> >>> the basis of web services.  I've written an IVOA Note on how UWS might be
> >>> presented as a REST service: please see
> >>>
> >>> http://www.ivoa.net/Documents/latest/UWS-REST.html
> >>>
> >>> Based on the worked examples in the note, and on a prototype I'm working on,
> >>> the chances for making a good, RESTful UWS are high. I reckon it would be more
> >>> useful - simpler, easier, more-generally applicable - than a SOAP-based
> >>> protocol. In particular, I like the idea of adding UWS options to protocols
> >>> like SIAP and TAP without lathering them up.
> >>>
> >>> My personal preference is to work, from here on, just on the RESTful form of
> >>> UWS and to abandon the SOAP version. Since, AFAIK, I'm the only one who has
> >>> writen any SOAP UWS code I think this should be OK. Please let me know your
> >>> views.
> >>>
> >>> Cheers,
> >>> Guy
> >>>
> >>> Guy Rixon 				        gtr at ast.cam.ac.uk
> >>> Institute of Astronomy   	                Tel: +44-1223-337542
> >>> Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523
> >>>
> >>>
> >>>
> >
> > Guy Rixon 				        gtr at ast.cam.ac.uk
> > Institute of Astronomy   	                Tel: +44-1223-337542
> > Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523
> >
> >
>

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523