Re: ACTION-278 Hiding metadata for security reasons

On Sun, Dec 27, 2009 at 12:00 PM,  <noah_mendelsohn@us.ibm.com> wrote:
> Tyler Close writes:
>
>> Good Practice: URI assignment authorities SHOULD NOT put confidential
>> metadata in a URI whose protocol does not support confidentiality.
>
> Tyler, thank you for the toughtful comments.

My pleasure, thank you for considering them.

>  I think what surprises me
> about the above is the presumption that the URIs themselves are in common
> cases restricted to use with particular protocols.

I am presuming that a URI assignment authority can feasibly deploy
URIs that will only be used with protocols that provide suitable
protection. My web-key paper provides design advice on how to do so.
My Waterken server software provides implementation support for
following this design advice. Other developers have used their own
designs and software to similar effect, some of which have achieved
significant popularity.

>  Perhaps I'm
> misunderstanding,  but do you refer to protocols like HTTPS used with URI
> schemes such as https?

Yes. Is there a better way of stating this relationship?

>  My concern is that, even when such URIs and
> protocols are used, the URIs themselves may be available in the clear,
> e.g. in the client, or in pages linking the resource, or perhaps even in
> certain intermediaries or logs.

They certainly "may" be, but they need not be; my web-key paper
explains how. Consequently, applications deployed to existing browsers
can adequately protect the confidentiality of an unguessable URL.

>  The advice not to put confidential
> information in URIs at all was motivated in part, I think, by such
> concerns.

If there were no value to putting confidential information in a URI,
this may be good advice. However, since even the current text
recognizes that there is value in making a URI unguessable, the advice
is overly restrictive, to the point of self-contradiction.

>  I feel like I'm probably missing something about your proposal,
> as I'm sure you've thought of such things.  Thank you.

I suspect it's more a question of perspective. Using unguessable URLs
is a different way of looking at the Web. Adopting this alternate
perspective is motivated by protection against a broad range of
attacks, as well as application flexibility and interoperability
gained through adherence to webarch principles.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Sunday, 27 December 2009 23:04:28 UTC