OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

Gavin Thomas Nicol scripsit:

> > Security through obscurity is the worst kind of security there is.
> I'm not talking about security via obscurity.... but rather not having 
> *any* path to a resource unless explictly granted it. One is roughly 
> akin to ACL's, the other, capabilities.

It depends on how deep the obscurity is.  If you have to guess a
64-bit truly random number to get access to the resource, it
is effectively secure, which is why a very reasonable implementation
of capabilities is to add such a number to an address.  The
capability can then be passed around without central coordination,
but outsiders aren't going to get any access in practice,
since brute-forcing 64 bits is not practical.

> > Given enough time, someone will always figure out what you are
> > trying to hide.

But there may not be enough time left!

John Cowan           http://www.ccil.org/~cowan              cowan@ccil.org
To say that Bilbo's breath was taken away is no description at all.  There
are no words left to express his staggerment, since Men changed the language
that they learned of elves in the days when all the world was wonderful.
        --_The Hobbit_


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS