OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] ANN: Building Web Services the REST Way

[ Lists Home | Date Index | Thread Index ]


----- Original Message -----
From: "Paul Prescod" <paul@prescod.net>
To: <xml-dev@lists.xml.org>
Sent: Wednesday, July 03, 2002 5:37 PM
Subject: Re: [xml-dev] ANN: Building Web Services the REST Way


> Jeff Greif wrote:
> >
> > Why isn't it a RESTful solution to have the client encrypt the data
(using
> > an applet on the original page, or some Javascript or something else)
and
> > POST the encrypted data (encoded in base64 if necessary) to the HTTP
server?
>
> What if the semantic of the action was GET? And how will you say which
> resource you are posting to without telling the software doing the
> mapping from resources to logical objects?
>
> If the only thing that is double encrypted is the entity body, but the
> URI, headers and method are all SSL encrypted, then you would start to
> see *some* of the benefits of REST.

I was thinking about filling in a medical claim form, or sending a
prescription to a pharmacy (or requesting a refill).  If pushing the submit
button encrypted the form data and it was POSTed in the normal way to a
generic claim or prescription-receiving URI (CGI program or the equivalent)
that delivered the encrypted data to the back end system, it's not even
clear that SSL would be necessary (this would require that the form data
also contained the authenticating information about the sender, etc).  If it
were a violation of the security criteria for someone to be able to tell
merely that I (an IP address) used the claim-submission URI or
prescription-ordering URL, then SSL would handle the wire security for the
URI and headers, but the HTTP(S) server would still know the URI and there
might be no easy way around it.

If I were doing a GET, presumably sensitive data I provide (e.g., query
string of the URI) would have to be encrypted on the client, or POST with
encryption would have to be used.  The host+path part of the URI would still
be readable to the HTTP server.  If the sensitive information were returned
by the GET (such as if I requested medical records for a patient) presumably
it would have to be encrypted on the back end and decrypted by some software
on my client.

Am I missing something here?

Jeff






 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS