[cap-talk] bundling designation and authority

Sandro Magi smagi at naasking.homeip.net
Fri Oct 14 08:13:11 EDT 2005 

Jed at Webstart wrote:
>> Suspecting a phisher, the defendant openly admitted that he attempted 
>> to obtain additional information (intent) not present on the given web 
>> pages (the authorized context).
> 
> 
> Aren't you assuming what you are trying to demonstrate in the above?  
> Namely that the "given web pages" (whatever those are) are the 
> authorized context?

I'm having trouble understanding why this model wouldn't make immediate 
sense to people on this list. After all, the very subject of this thread 
is "bundling designation and authority". A link can be viewed as a 
trivially forgeable bundle designating a resource and authority to 
invoke a GET on it (by clicking on it). It's not a capability, but the 
bundling is still there.

I'm very aware that this is a restriction on the operation of URLs, but 
restrictions are present in just every web application framework that 
doesn't use the full set of www semantics. To a typical web application 
programmer, who creates pages so users may consume services, he might 
very well be miffed that some user isn't sticking to the pages he 
created, even though this is explicitly allowed by the RFCs. The pages 
the programmer creates and links together express his intent for how the 
user is to access his site/services. This implies that the pages he 
creates and links together are what he *authorizes* the user to view. If 
this does not follow, then please point out where I've made a mistake.

> A "web program"?  What do you mean by that?  How is the authorization 
> context of such a "web program" visible to the user?  E.g. in the sense 
> that Nick Szabo noted earlier, "So I'd characterize our issue as: what 
> is the (if any) widely understood  way of communicating authorization to 
> web users?"

Any reasonable web user, if he sees a link, would expect that he is 
allowed to click on that link. Only a subset of such users, once logged 
into a site that processes credit card transactions, would expect that 
it's perfectly ok to start typing in any old URLs for that same server 
and attempt to access them.

> How is that meaning "authorized context" communicated to the user?  I 
> don't believe there was any such communication in this case.  It seems 
> to me that Mr. Cuthbert had a reasonable believe that his ../../../ 
> access was "authorized" and perhaps only unexpected in the case the site 
> was phishing.

Oh I think his belief was very reasonable; it's codified in the RFCs 
after all. Unfortunately, it's not our opinion that matters though, but 
what is "widely understood" outside of smaller, more knowledgeable 
communities.

Sandro

More information about the cap-talk mailing list