p2p-hackers, meet rest-discuss. rest-discuss, I'd like to introduce you to p2p-hackers.

RESTafarians: there is a long-running conversation on p2p-hackers about friendnets, also known as darknets, small world networks, and F2F networks; also capabilities security, sometimes known as smart contracts. An example thread begins at http://zgp.org/pipermail/p2p-hackers/2005-August/002915.html

p2p-hackers: Tyler Close' method for HTTP access control using nothing but unguessable (and secret) URIs came up on REST-discuss. That thread begins at http://groups.yahoo.com/group/rest-discuss/message/5228 In the context of friendnets, Tyler's scheme is a beautifully simple way of controlling access using nothing but low-tech means. Not only does it limit access to trusted parties, it also allows for transitive relationships. (Warning: his scheme is counterintuitive, since the dependence on secret URLs smells like security through obscurity).

Interesting idea. It may not be security via obscurity, but it does appear to ignore a number of practical considerations. For instance, what about the secret URL being passed on in referrer headers to other pages? I think some browsers block it when you go from a secure page to a non-secure page on another site (although I'm unsure about that). The argument that users shouldn't put links to on a secured page is more surprising than the things it is trying to avoid (to me anyway). OTOH, all browsers block HTTP authenticaion credentials from being passed in the referrer header. Nick _______________________________________________ p2p-hackers mailing list p2p-hackers@zgp.org http://zgp.org/mailman/listinfo/p2p-hackers _______________________________________________ Here is a web page listing P2P Conferences: http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]