[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: SOAP-RPC and REST and security


security through obscurity
John Cowan wrote:
> 
> Gavin Thomas Nicol scripsit:
> 
> > > Security through obscurity is the worst kind of security there is.
> >
> > I'm not talking about security via obscurity.... but rather not having
> > *any* path to a resource unless explictly granted it. One is roughly
> > akin to ACL's, the other, capabilities.
> 
> It depends on how deep the obscurity is.  If you have to guess a
> 64-bit truly random number to get access to the resource, it
> is effectively secure, which is why a very reasonable implementation
> of capabilities is to add such a number to an address.  The
> capability can then be passed around without central coordination,
> but outsiders aren't going to get any access in practice,
> since brute-forcing 64 bits is not practical.

Agree. I see no functional difference between string-based capabilities
and crypto key URIs except for the dereferencing strategy. I am not an
expert on capability-based security so I'll watch for a correction...

 Paul Prescod

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.