Re: Re: Cookies at XML Europe 2004 -- Call forParticipation

To: Rich Salz <rsalz@d...>
Subject: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
From: Elliotte Rusty Harold <elharo@m...>
Date: Wed, 7 Jan 2004 09:21:50 -0500
Cc: "xml-dev@l..." <xml-dev@l...>
In-reply-to: <Pine.LNX.4.44L0.0401070801420.11359-100000@s...>
References: <Pine.LNX.4.44L0.0401070801420.11359-100000@s...>

Play the video

At 8:02 AM -0500 1/7/04, Rich Salz wrote:

>I know.  I was merely pointing out that REST lets the lower layers
>do things that it won't.  Such as maintaining state on both sides
>of the connection which is (all together now) a requirement for good
>security.

It is not at all unreasonable for different layers of the network 
stack to be allowed to do different things. Indeed they should. 
Separation and non-duplication of concerns is a good general 
principle of network design.

I think you've demonstrated that there are some minor issues with 
security in the REST model over unencrypted HTTP, given current HTTP 
authentication schemes. You have not demonstrated that it is a 
fundamental principle that maintaining state on both sides of a 
connection is a requirement for good security. At most, you have 
shown that given current public key encryption algorithms and 
available hardware, it is inefficient not to maintain some state on 
both sides of the connection. However, given that faster hardware is 
a near certainty and faster algorithms are far from inconceivable, I 
certainly don't accept this as a fundamental principle.

In fact, I would go so far as to argue the opposite. The ideal case 
is that the key be changed for each and every transaction. This is 
computationally infeasible today. It may not be tomorrow. Maintaining 
state and using the same key more than once is a necessary compromise 
given the limitations of today's hardware and algorithms, just as 
exchanging the encrypted password with each transaction as done in 
digest authentication is a necessary and useful compromise between 
the benefits of REST and the principles of good security.
-- 

   Elliotte Rusty Harold
   elharo@m...
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA

Follow-Ups:
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@d...>

References:
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@d...>

Prev by Date: Re: wacky XML
Next by Date: Re: wacky XML
Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >