Lists Home |
Date Index |
On Monday 21 January 2002 11:15 pm, Paul Prescod wrote:
> I don't really know how HTTP makes this any harder than anything
> else. At least HTTP has a security model. Security for RPC seems a
> very difficult (intractable?) problem. HTTP has a very
> understandable but flexible security model. I would say that many
> services need nothing more complex than "rwx" ACLs.
HTTP isn't intrinsically more insecure except that using HTTP
proxies is a well-accepted practise. One part of security are the
principals of least-priviledge and least-disclosure (don't give
permissions to to more than the minimum, and don't tell anyone about
things). The web (internet in general) aren't designed with these
explicitly in mind, especially least-disclosure.
The infrastructure as it exists is probably "goof enough", but I don't
think it's ideal.