Re: Content security model

In message <255B9BB34FB7D647A506DC292726F6E114F800B6F5@WSMSG3153V.srv.dir.telst
ra.com>, "Manger, James H" writes:

> > > 3) HTTP security controls should only secure content.
> > > Signing headers is not only difficult, it is often counterproductive.
> > > If a Web service depends on information in a header
> > > there is probably something wrong.
> 
> What about the URI?
> What about the method (GET, POST, DELETE...)?
> 
> Only protecting the body only works for RPC-style web services [...]

This is where we need to use a more precise terminology than "protect",
and "secure":

Are we talking Authenticity, Privacy or Integrity here ?

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Thursday, 26 July 2012 06:42:00 UTC