OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

John Cowan wrote:
> Gavin Thomas Nicol scripsit:
> > > Security through obscurity is the worst kind of security there is.
> >
> > I'm not talking about security via obscurity.... but rather not having
> > *any* path to a resource unless explictly granted it. One is roughly
> > akin to ACL's, the other, capabilities.
> It depends on how deep the obscurity is.  If you have to guess a
> 64-bit truly random number to get access to the resource, it
> is effectively secure, which is why a very reasonable implementation
> of capabilities is to add such a number to an address.  The
> capability can then be passed around without central coordination,
> but outsiders aren't going to get any access in practice,
> since brute-forcing 64 bits is not practical.

Agree. I see no functional difference between string-based capabilities
and crypto key URIs except for the dereferencing strategy. I am not an
expert on capability-based security so I'll watch for a correction...

 Paul Prescod


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS