- From: Assaf Arkin <arkin@intalio.com>
- Date: Tue, 25 Feb 2003 12:47:10 -0800
- To: "Cutler, Roger \(RogerCutler\)" <RogerCutler@chevrontexaco.com>, "Champion, Mike" <Mike.Champion@SoftwareAG-USA.com>, <www-ws-arch@w3.org>
> -----Original Message----- > From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On > Behalf Of Cutler, Roger (RogerCutler) > Sent: Tuesday, February 25, 2003 9:37 AM > To: Champion, Mike; www-ws-arch@w3.org > Subject: RE: Visibility (was Re: Introducing the Service Oriented > Architec tural style, and it's constraints and properties. > > > > OK, since you are appealing to me, I will cheerfully set myself up: > > I think that putting just about anything in the URL's would be frowned > upon very seriously by the people concerned about security, at least > those that I am familiar with. To heck with the identity of the user -- > the nature of the service itself would probably be considered sensitive. > For example, if we send out 1000 HTTP messages to the same URL, with the > nature of the operation encrypted in the body of the message (BUY, SELL, > QUOTE PRICE, etc) I don't think there is much problem. But if we send > 250 to http://BUY and 300 to HTTP://SELL and so on, I think that in > itself would be considered unacceptable. OK, so maybe if A is dealing > with X, then they previously agree that http://abra means BUY -- and for > B dealing with X they agree that http://cadabra means BUY -- maybe > that's OK in terms of security (I don't really know), but it sure > doesn't look very late bound or, in fact, very different from encrypting > the BUY in the message. I pass on whether that approach would be > RESTful. +1 arkin
Received on Tuesday, 25 February 2003 15:48:42 UTC