xml-dev - Re: [xml-dev] SOAP-RPC and REST and security

Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] SOAP-RPC and REST and security
From: Paul Prescod <paul@prescod.net>
Date: Fri, 22 Feb 2002 09:04:46 -0800
References: <E16eEoE-0006IC-00@mercury.ccil.org>

John Cowan wrote:
> 
> Gavin Thomas Nicol scripsit:
> 
> > > Security through obscurity is the worst kind of security there is.
> >
> > I'm not talking about security via obscurity.... but rather not having
> > *any* path to a resource unless explictly granted it. One is roughly
> > akin to ACL's, the other, capabilities.
> 
> It depends on how deep the obscurity is.  If you have to guess a
> 64-bit truly random number to get access to the resource, it
> is effectively secure, which is why a very reasonable implementation
> of capabilities is to add such a number to an address.  The
> capability can then be passed around without central coordination,
> but outsiders aren't going to get any access in practice,
> since brute-forcing 64 bits is not practical.

Agree. I see no functional difference between string-based capabilities
and crypto key URIs except for the dereferencing strategy. I am not an
expert on capability-based security so I'll watch for a correction...

 Paul Prescod

References:
- Re: [xml-dev] SOAP-RPC and REST and security
  - From: John Cowan <cowan@mercury.ccil.org>

Prev by Date: Re: [xml-dev] Simplified XPointer
Next by Date: Re: [xml-dev] Two sides of SOAP (was RE: [xml-dev] SOAP-RPC and REST and security)
Previous by thread: Re: [xml-dev] SOAP-RPC and REST and security
Next by thread: RE: [xml-dev] SOAP-RPC and REST and security
Index(es):
- Date
- Thread