[
Lists Home |
Date Index |
Thread Index
]
On Wed, 30 Mar 2005 21:33:59 -0500 (EST), Rich Salz
<rsalz@datapower.com> wrote:
> But what if the Credit Card company is building its back office around
> HTTP and REST? They *can't* resubmit and let someone else work it out. :)
> Note that I'm not talking about transactions, rollback, etc., I just
> want to know if the damn message got there and what the answer was.
> I'd also like to avoid message replay.
I believe POE fulfills that requirement:
http://www.mnot.net/blog/2005/03/21/poe
> HTTP has no way to provide end-to-end security of the Request URI.
> That means you can't do a GET and have any cryptographically based
> way to be sure that (a) the URI wasn't modified in-flight; and (b)
> that nobody else will see it (i.e., signing and encryption). SSL/TLS
> is only hop-by-hop. If there are any proxies or loadbalancers in the
> path, at least some of them will get the plaintext.
As far as (a) is concerned, doesn't Digest include the URI in the hash?
As far as (b) is concerned, isn't the SLL certificate tied to the IP address
of the server being accessed?
-joe
--
Joe Gregorio http://bitworking.org
|