- From: Miles Sabin <miles@milessabin.com>
- Date: Tue, 16 Jul 2002 21:45:47 +0100
- To: www-ws-arch@w3.org
Paul Prescod wrote, > Miles Sabin wrote: > >... > > > > > An order document is transferred over POST, which includes a URI > > > to which further correspondance should be sent. > > > > What's to guarantee that the callback URI mentioned in the POST'ed > > document really corresponds to the POST'er? > > That's a feature, not a flaw. When I send away to National > Geographic, I provide an address where I want further correspondance > directed. If I want to send it to a POBox for anonymity or to my > neighbour as a gift, I can do that. How is that a problem? Hmm ... how about if I buy a stack of DVDs from Amazon but point further electronic (ie. billing) correspondance at mailto:paul@prescod.net? Yes, of course there are mechanisms aplenty which would prevent this kind of abuse, but, and I think this was Francis' point, they typically depend on being able to assert that party-X-in-sending-role == party-X-in-receiving-role. Mark didn't accomodate that aspect of the challenge in his solution ... and it's not clear to me that REST on its own is capable of supporting that kind of assertion. Feel free to correct me. FWIW, tho', I don't believe that this is a problem only for REST, so I'm not convinced that Francis challenge was entirely fair. Cheers, Miles
Received on Tuesday, 16 July 2002 16:46:18 UTC