W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: ashok malhotra <ashok.malhotra@oracle.com>
Date: Mon, 08 Feb 2010 08:08:13 -0800
Message-ID: <4B7036ED.8030706@oracle.com>
To: John Kemp <john@jkemp.net>
CC: Dan Connolly <connolly@w3.org>, Larry Masinter <masinter@adobe.com>, Jonathan Rees <jar@creativecommons.org>, Tyler Close <tyler.close@gmail.com>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
OK.  Good!  You are both disagreeing in the right direction.
I don't understand how the secret URI can be made more secure but I can 
go back and read the thread.
All the best, Ashok


John Kemp wrote:
> On Feb 8, 2010, at 10:32 AM, Dan Connolly wrote:
>
>   
>> On Sun, 2010-02-07 at 14:50 -0800, ashok malhotra wrote:
>>     
>>> Hi Larry:
>>> This is useful.
>>> Non-public URIs provide a weak level of security that is held to be 
>>> adequate for some usecases.
>>> I wonder if there is disagreement with the above statement.
>>>       
>> I disagree.
>>     
>
> And in my previous email, I neglected to mention that I, too, disagree with that statement.
>
>   
>> The unguessable URI pattern can be made about as secure as you like;
>> in particular, as secure or more secure than passwords+cookies.
>>     
>
> Yes, I believe that to be true too - apart from the case where a URI may end up being transmitted to another site "automatically" by means of the Referer HTTP header.
>
> Regards,
>
> - johnk
>   
Received on Monday, 8 February 2010 16:10:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT