- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Thu, 26 Jul 2012 06:41:30 +0000
- To: "Manger, James H" <James.H.Manger@team.telstra.com>
- cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In message <255B9BB34FB7D647A506DC292726F6E114F800B6F5@WSMSG3153V.srv.dir.telst ra.com>, "Manger, James H" writes: > > > 3) HTTP security controls should only secure content. > > > Signing headers is not only difficult, it is often counterproductive. > > > If a Web service depends on information in a header > > > there is probably something wrong. > > What about the URI? > What about the method (GET, POST, DELETE...)? > > Only protecting the body only works for RPC-style web services [...] This is where we need to use a more precise terminology than "protect", and "secure": Are we talking Authenticity, Privacy or Integrity here ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 26 July 2012 06:42:00 UTC