W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Thu, 26 Jul 2012 06:41:30 +0000
To: "Manger, James H" <James.H.Manger@team.telstra.com>
cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <4468.1343284890@critter.freebsd.dk>
In message <255B9BB34FB7D647A506DC292726F6E114F800B6F5@WSMSG3153V.srv.dir.telst
ra.com>, "Manger, James H" writes:

> > > 3) HTTP security controls should only secure content.
> > > Signing headers is not only difficult, it is often counterproductive.
> > > If a Web service depends on information in a header
> > > there is probably something wrong.
> 
> What about the URI?
> What about the method (GET, POST, DELETE...)?
> 
> Only protecting the body only works for RPC-style web services [...]

This is where we need to use a more precise terminology than "protect",
and "secure":

Are we talking Authenticity, Privacy or Integrity here ?

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 26 July 2012 06:42:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 06:42:09 GMT