[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: ANN: Building Web Services the REST Way
----- Original Message ----- From: "Paul Prescod" <paul@p...> To: <xml-dev@l...> Sent: Wednesday, July 03, 2002 5:37 PM Subject: Re: ANN: Building Web Services the REST Way > Jeff Greif wrote: > > > > Why isn't it a RESTful solution to have the client encrypt the data (using > > an applet on the original page, or some Javascript or something else) and > > POST the encrypted data (encoded in base64 if necessary) to the HTTP server? > > What if the semantic of the action was GET? And how will you say which > resource you are posting to without telling the software doing the > mapping from resources to logical objects? > > If the only thing that is double encrypted is the entity body, but the > URI, headers and method are all SSL encrypted, then you would start to > see *some* of the benefits of REST. I was thinking about filling in a medical claim form, or sending a prescription to a pharmacy (or requesting a refill). If pushing the submit button encrypted the form data and it was POSTed in the normal way to a generic claim or prescription-receiving URI (CGI program or the equivalent) that delivered the encrypted data to the back end system, it's not even clear that SSL would be necessary (this would require that the form data also contained the authenticating information about the sender, etc). If it were a violation of the security criteria for someone to be able to tell merely that I (an IP address) used the claim-submission URI or prescription-ordering URL, then SSL would handle the wire security for the URI and headers, but the HTTP(S) server would still know the URI and there might be no easy way around it. If I were doing a GET, presumably sensitive data I provide (e.g., query string of the URI) would have to be encrypted on the client, or POST with encryption would have to be used. The host+path part of the URI would still be readable to the HTTP server. If the sensitive information were returned by the GET (such as if I requested medical records for a patient) presumably it would have to be encrypted on the back end and decrypted by some software on my client. Am I missing something here? Jeff
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|