[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Re: Cookies at XML Europe 2004 -- Call for Participation

• To: "jcowan@r..." <jcowan@r...>
• Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• From: Rich Salz <rsalz@d...>
• Date: Tue, 6 Jan 2004 19:29:21 -0500 (EST)
• Cc: "xml-dev@l..." <xml-dev@l...>
• In-reply-to: <20040106225031.GG18224@s...>

> > Good security requires state.
>
> I don't understand this.  _Efficient_ security may require state, but
> using a distinct and unpredictable session key for every stateless
> transaction is surely entirely secure.

First, good security is efficient security.  Second, in order to securely
exchange session keys, you have to use the "login key" of the parties.
This means the login key (e.g., private key, or passphrase-to-3DESkey)
has to be available for every transaction.  This means its exposed more.
This means it's less secure.

It would be as if the Unix shell required you to enter you password each
time you entered a command line.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

• References:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: jcowan@r...

• Prev by Date: RE: Another mutated variant of the 'PowerPoint makes yo udumb' story
• Next by Date: Re: wacky XML
• Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Next by thread: RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Index(es):
  • Date
  • Thread