Close, Tyler J. schreef:
I've written several messages to the appformats mailing list. I suggest reading all of them. The most detailed description of the attacks are in the message at:http://www.w3.org/mid/[EMAIL PROTECTED] with a correction at: http://www.w3.org/mid/[EMAIL PROTECTED]
You do realise that with XDR, ‘resource host’ has no means to authenticate the user using (relatively secure) HTTP digest authentication?
In order to acquire the desired functionality (for which it needs the user’s credentials), with XDR the resource host will most likely end up passing the authentication information along in the GET query string (bad), probably requiring the user to fill in his credentials on the origin site (bad), and sending the user’s password plain over the wire (bad).
I think the history of HTML has taught us that if people want to do something (e.g. styling), and you do not provide the means, they will abuse other mechanisms (tables) to achieve their goals. I can assure you people will work around the limitations of XDR in the same manner. The least we can do is provide a mechanism that lets the user do what he wants, yet is easy to control and secure.
That is the big problem with XDR’s restrictions. Well, aside from its breaking of REST by disallowing PUT and DELETE and setting the Content-Type and Accept-* headers, while favouring SOAP (which DOES have the ability to delete() and authenticate) and encouraging content sniffing. I hope you can see why I don’t share your enthusiasm for Microsoft’s proposal :).
~Grauw -- Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Laurens Holst, student, university of Utrecht, the Netherlands. Website: www.grauw.nl. Backbase employee; www.backbase.com.
begin:vcard fn:Laurens Holst n:Holst;Laurens email;internet:[EMAIL PROTECTED] tel;cell:(+31) 06-41765048 version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
