From: "Tyler Close" <
tyler@...>
> As we've discussed, and you've agreed, using a capability URL is
> the only way to prevent the Confused Deputy attack. How do you
> reconcile this with thinking that a capability URL is "a Bad
> Idea"? The agreed facts indicate the exact opposite.
A server implementation could use
http://user:pwd@seairth.com/rna/r/1234,
http://seairth.com/rna/r/1234/334956923, http://seairth.com/rna/334956923,
etc. From the perspective of RNA, it doesn't matter. The URI is opaque.
However, from the implementation perspective, each has its strengths and
weaknesses. Personally, I don't think the "capability URL" is a Bad Idea.
Within my implementation that I am slowly working on, this will be the
approach I happen to be taking. However, I prefer the "user:pwd@" format
for the various reasons that I have already stated. If someone wants to use
nonces instead, that's up to them. Again, it doesn't matter to RNA.
---
Seairth Jacobs
seairth@...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email