- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 29 Jan 2010 15:30:51 +1100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Apps Discuss <discuss@apps.ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
I sincerely don't believe that adding any such text to the Link draft (or the URI specification, which is where this really belongs) will make the world any more secure of a place. However, I'll be happy to have that discussion with Eric *if* he brings it up. Cheers, On 22/01/2010, at 1:23 AM, Julian Reschke wrote: > Hi, > > finally a security related comment. > > During IETF LC for draft-brown-versioning-link-relations we got a comment from Eric Rescorla: > > "In general this mechanism seems sound but I'm not sure that the security considerations are entirely adequate. This mechanism lets you learn information about other versions of a resource even if you potentially don't have permission to view them directly. Consider a limiting case where each version of the resource had a name that contained the change set for that resource. E.g., > > http://example.com/versions/filename/_@line_50_+_FOO;@line_60_+_BAR/; > > In this case, seeing other parts of the version tree leaks information about those versions. I don't think that this is a problem for the draft, but it might be useful to mention that this feature has implications for name construction." > > I assume this is a concern that applies to the Link header in general. > > Best regards, Julian > > -- Mark Nottingham http://www.mnot.net/
Received on Friday, 29 January 2010 04:31:22 UTC