Loading ...
Sorry, an error occurred while loading the content.

Re: [rest-discuss] Caching question

Expand Messages
  • Tyler Close
    ... In this case, access to a representation of the resource is equivalent to access to the resource. We know this because Seairth is specifically asking about
    Message 1 of 10 , May 11 3:56 AM
    • 0 Attachment
      On Sunday 11 May 2003 03:03, Mark Nottingham wrote:
      > Quoting Tyler Close <tyler@...>:
      > > On Saturday 10 May 2003 15:56, Mark Nottingham wrote:
      > > > Digest authentication doesn't require SSL to maintain privacy of the
      > > > authenticator.
      > >
      > > If you send the resource representation in plaintext, you are
      > > effectively delegating access to the resource to everyone else on
      > > your network path. This violates the semantics of your access
      > > control check.
      >
      > No, you could be said to be delegating access to the representation, but
      > not the resource; whilst the representation is available to anyone who is
      > able to observe it as it goes by, other representations of the resource
      > are not available to them upon demand without the proper credentials.

      In this case, access to a representation of the resource is
      equivalent to access to the resource. We know this because Seairth
      is specifically asking about a resource for which caching is
      important. Given this information, your suggestion to use digest
      authentication to "maintain the privacy of the authenticator"
      doesn't make any sense.

      Even if you wish to quibble over the above, it doesn't change the
      fact that you've violated the semantics of the access control
      check. The requestor intends to fetch a representation for
      himself, not himself and everyone in the neighborhood.

      Does it seem odd to anyone that I am needing to argue that it is
      important to encrypt private data before transmitting it over a
      public network?

      > > In this case, using HTTP Auth without SSL doesn't provide any
      > > actual security. I don't know how knowledgeable you are about
      >
      > "security" is such an imprecise term, isn't it?

      Not in this context it isn't. Context is always important in
      English.

      Tyler
    • Mark Nottingham
      ... Yeeessss.... and I m saying that a cached representation of a resource is not equivalent to the range of representations that resource is capable of
      Message 2 of 10 , May 11 10:58 AM
      • 0 Attachment
        Quoting Tyler Close <tyler@...>:

        > In this case, access to a representation of the resource is
        > equivalent to access to the resource. We know this because Seairth
        > is specifically asking about a resource for which caching is
        > important. Given this information, your suggestion to use digest
        > authentication to "maintain the privacy of the authenticator"
        > doesn't make any sense.

        Yeeessss.... and I'm saying that a cached representation of a resource is
        not equivalent to the range of representations that resource is capable of
        emitting. There are scenarios where this is an important distinction.

        > Does it seem odd to anyone that I am needing to argue that it is
        > important to encrypt private data before transmitting it over a
        > public network?

        Who said public network? Once again, there are scenarios where protecting
        the authentication credentials is valuable, but the representations
        themselves aren't as sensitive. I grant that there are likely many, many
        more which do require encryption for appropriate security, but am
        unwilling to say that all scenarios require it.

        Since we seem to be starting to repeat ourselves, I suggest we move on.
      Your message has been successfully submitted and would be delivered to recipients shortly.