W3C home > Mailing lists > Public > www-ws-arch@w3.org > July 2002

Re: A REST challenge

From: Miles Sabin <miles@milessabin.com>
Date: Tue, 16 Jul 2002 21:45:47 +0100
To: www-ws-arch@w3.org
Message-Id: <200207162145.47331.miles@milessabin.com>

Paul Prescod wrote,
> Miles Sabin wrote:
> >...
> >
> > > An order document is transferred over POST, which includes a URI
> > > to which further correspondance should be sent.
> >
> > What's to guarantee that the callback URI mentioned in the POST'ed
> > document really corresponds to the POST'er?
>
> That's a feature, not a flaw. When I send away to National
> Geographic, I provide an address where I want further correspondance
> directed. If I want to send it to a POBox for anonymity or to my
> neighbour as a gift, I can do that. How is that a problem?

Hmm ... how about if I buy a stack of DVDs from Amazon but point further 
electronic (ie. billing) correspondance at mailto:paul@prescod.net?

Yes, of course there are mechanisms aplenty which would prevent this 
kind of abuse, but, and I think this was Francis' point, they typically 
depend on being able to assert that party-X-in-sending-role == 
party-X-in-receiving-role. Mark didn't accomodate that aspect of the 
challenge in his solution ... and it's not clear to me that REST on its 
own is capable of supporting that kind of assertion. Feel free to 
correct me.

FWIW, tho', I don't believe that this is a problem only for REST, so I'm 
not convinced that Francis challenge was entirely fair.

Cheers,


Miles
Received on Tuesday, 16 July 2002 16:46:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:02 GMT