[
Lists Home |
Date Index |
Thread Index
]
Gavin Thomas Nicol wrote:
>
> On Monday 11 February 2002 04:16 pm, Simon St.Laurent wrote:
> > On Mon, 2002-02-11 at 13:44, Paul Prescod wrote:
> > > Every message should result in a new URI. The URI represents the
> > > current state of the transaction. You point to the last URI you
> > > got.
> >
> > That's sort of vaguely usable, though I don't think I'd want to
> > implement anything deeply recursive on that.
>
> Actually, the above is bogus because the URI has gone from being
> opaque to encoding application state (to those that understand the
> application) and you may or may not wish to disclose that to an
> intermediary.
Really? Here's one from Expedia. It's half-way through a transaction.
Please tell me what the details of the transaction:
http://www.expedia.ca/pub/agent.dll?qscr=fstr&itid=34958964&bkmd=2&zz=1013489956491
Hint: don't spend all day trying to decrypt it. The information you are
not looking for is not in there. Even Microsoft is not that stupid.
> > Sure. And if someone else comes along and changes the state out
> > from under your label, how much good is your label?
>
> Which is what a malicious intermediary can do. As soon as you use SSL,
> visibility is gone...
Of course. You use the right tool for the job. But you can also speak to
*intermediaries* through SSL.
Paul Prescod
|