[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: SOAP-RPC and REST and security
John Cowan wrote: > > Gavin Thomas Nicol scripsit: > > > > Security through obscurity is the worst kind of security there is. > > > > I'm not talking about security via obscurity.... but rather not having > > *any* path to a resource unless explictly granted it. One is roughly > > akin to ACL's, the other, capabilities. > > It depends on how deep the obscurity is. If you have to guess a > 64-bit truly random number to get access to the resource, it > is effectively secure, which is why a very reasonable implementation > of capabilities is to add such a number to an address. The > capability can then be passed around without central coordination, > but outsiders aren't going to get any access in practice, > since brute-forcing 64 bits is not practical. Agree. I see no functional difference between string-based capabilities and crypto key URIs except for the dereferencing strategy. I am not an expert on capability-based security so I'll watch for a correction... Paul Prescod
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|