[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Nick Lothian
nlothian at educationau.edu.au
Mon Sep 26 18:35:31 PDT 2005
>
> p2p-hackers, meet rest-discuss. rest-discuss, I'd like to
> introduce you to p2p-hackers.
>
> RESTafarians: there is a long-running conversation on
> p2p-hackers about friendnets, also known as darknets, small
> world networks, and F2F networks; also capabilities security,
> sometimes known as smart contracts. An example thread begins
> at http://zgp.org/pipermail/p2p-hackers/2005-August/002915.html
>
> p2p-hackers: Tyler Close' method for HTTP access control
> using nothing but unguessable (and secret) URIs came up on
> REST-discuss. That thread begins at
> http://groups.yahoo.com/group/rest-discuss/message/5228 In
> the context of friendnets, Tyler's scheme is a beautifully
> simple way of controlling access using nothing but low-tech
> means. Not only does it limit access to trusted parties, it
> also allows for transitive relationships. (Warning: his
> scheme is counterintuitive, since the dependence on secret
> URLs smells like security through obscurity).
>
Interesting idea.
It may not be security via obscurity, but it does appear to ignore a
number of practical considerations.
For instance, what about the secret URL being passed on in referrer
headers to other pages? I think some browsers block it when you go from
a secure page to a non-secure page on another site (although I'm unsure
about that). The argument that users shouldn't put links to on a secured
page is more surprising than the things it is trying to avoid (to me
anyway).
OTOH, all browsers block HTTP authenticaion credentials from being
passed in the referrer header.
Nick
_______________________________________________
p2p-hackers mailing list
p2p-hackers at zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the cypherpunks-legacy
mailing list