Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation

To: Elliotte Rusty Harold <elharo@m...>
Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
From: Rich Salz <rsalz@d...>
Date: Tue, 06 Jan 2004 13:12:11 -0500
Cc: XML-DEV <xml-dev@l...>
In-reply-to: <p0601020ebc209c50dbf7@[192.168.254.4]>
References: <p06010207bc2091af5cae@[192.168.254.4]> <3FFAEABB.4060607@d...> <p0601020ebc209c50dbf7@[192.168.254.4]>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507

Play the video

> Possibly you read a message I missed or interpreted it differently. 
> Could you please provide the URL to and quote from the specific message 
> which demonstrates that good security practices conflict with REST?

All the state must be in the client:
   http://groups.yahoo.com/group/rest-discuss/message/3594 (Baker)
   http://groups.yahoo.com/group/rest-discuss/message/3583 (Fielding)

The server cannot trust the client to not modify the session state, and 
it may have privacy concerns about exposing the entire state to the 
client in the first place.  Therefore the server must encrypt the entire 
session state (if it even has it all) and encrypt it.  It then gives 
this to the client so that the client can present it back on future 
requests.  (Let's ignore if that's done via Cookies or via querystring 
parameters in a URL.)  In order to do this, we must use public-key 
encryption.  For security (and REST state:) reasons, we cannot use a 
faster symmetric algorithm like 3DES or AES.  We could use https to 
protect the content, but then we're back to shared state (the SSL 
context, but maybe REST doesn't care since that's just a transport issue).

Therefore, the server has to do a public-key decryption on every single 
incoming request in order to authenticate the client.  That is not 
scalable.  It makes the server completely susceptible to trivial DoS 
attacks, for example.

Does this make sense?  Does it seem wrong?
	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

References:
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Elliotte Rusty Harold <elharo@m...>
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@d...>
- Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: Elliotte Rusty Harold <elharo@m...>

Prev by Date: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
Next by Date: Re: SAX and ignorableWhitespace
Previous by thread: Re: A Real RESTful online store? - was Re: Re: Cookies at XML Europe 2004
Next by thread: RE: Re: Cookies at XML Europe 2004 -- Call for Participation
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >