- From: Larry Masinter <masinter@adobe.com>
- Date: Sun, 7 Feb 2010 19:41:06 -0800
- To: "ashok.malhotra@oracle.com" <ashok.malhotra@oracle.com>
- CC: Jonathan Rees <jar@creativecommons.org>, Tyler Close <tyler.close@gmail.com>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
>> Non-public URIs provide a weak level of security that is held to be >> adequate for some usecases. > I wonder if there is disagreement with the above statement. Not too bad, but I'm not sure "non-public" captures the sense. Whether something is or isn't "public" depends on whether it has been disclosed publically, and so whether URIs are 'public' depend on where you are in the life cycle. "unguessable URIs" for me captures the spirit more: "One pattern is using unguessable URIs as a resource identifier for a temporary-validity 'resource' which really acts as a capability to perform some action -- access a document or calendar entry, unsubscribe from a mailing list or some such. When used with time-limits and other protection mechanisms intended to slow or minimize the possibilities of accidental disclosure, unguessable URIs may be useful in situations where requirements for confidentiality aren't high."
Received on Monday, 8 February 2010 03:41:59 UTC