xml-dev - Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

To: "jcowan@reutershealth.com" <jcowan@reutershealth.com>
Subject: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
From: Rich Salz <rsalz@datapower.com>
Date: Tue, 6 Jan 2004 19:29:21 -0500 (EST)
Cc: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
In-reply-to: <20040106225031.GG18224@skunk.reutershealth.com>

> > Good security requires state.
>
> I don't understand this.  _Efficient_ security may require state, but
> using a distinct and unpredictable session key for every stateless
> transaction is surely entirely secure.

First, good security is efficient security.  Second, in order to securely
exchange session keys, you have to use the "login key" of the parties.
This means the login key (e.g., private key, or passphrase-to-3DESkey)
has to be available for every transaction.  This means its exposed more.
This means it's less secure.

It would be as if the Unix shell required you to enter you password each
time you entered a command line.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

References:
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: jcowan@reutershealth.com

Prev by Date: RE: [xml-dev] Another mutated variant of the 'PowerPoint makes yo udumb' story
Next by Date: Re: [xml-dev] wacky XML
Previous by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Next by thread: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Index(es):
- Date
- Thread