[cap-talk] bundling designation and authority
smagi at naasking.homeip.net
Fri Oct 14 08:13:11 EDT 2005
Jed at Webstart wrote:
>> Suspecting a phisher, the defendant openly admitted that he attempted
>> to obtain additional information (intent) not present on the given web
>> pages (the authorized context).
> Aren't you assuming what you are trying to demonstrate in the above?
> Namely that the "given web pages" (whatever those are) are the
> authorized context?
I'm having trouble understanding why this model wouldn't make immediate
sense to people on this list. After all, the very subject of this thread
is "bundling designation and authority". A link can be viewed as a
trivially forgeable bundle designating a resource and authority to
invoke a GET on it (by clicking on it). It's not a capability, but the
bundling is still there.
I'm very aware that this is a restriction on the operation of URLs, but
restrictions are present in just every web application framework that
doesn't use the full set of www semantics. To a typical web application
programmer, who creates pages so users may consume services, he might
very well be miffed that some user isn't sticking to the pages he
created, even though this is explicitly allowed by the RFCs. The pages
the programmer creates and links together express his intent for how the
user is to access his site/services. This implies that the pages he
creates and links together are what he *authorizes* the user to view. If
this does not follow, then please point out where I've made a mistake.
> A "web program"? What do you mean by that? How is the authorization
> context of such a "web program" visible to the user? E.g. in the sense
> that Nick Szabo noted earlier, "So I'd characterize our issue as: what
> is the (if any) widely understood way of communicating authorization to
> web users?"
Any reasonable web user, if he sees a link, would expect that he is
allowed to click on that link. Only a subset of such users, once logged
into a site that processes credit card transactions, would expect that
it's perfectly ok to start typing in any old URLs for that same server
and attempt to access them.
> How is that meaning "authorized context" communicated to the user? I
> don't believe there was any such communication in this case. It seems
> to me that Mr. Cuthbert had a reasonable believe that his ../../../
> access was "authorized" and perhaps only unexpected in the case the site
> was phishing.
Oh I think his belief was very reasonable; it's codified in the RFCs
after all. Unfortunately, it's not our opinion that matters though, but
what is "widely understood" outside of smaller, more knowledgeable
More information about the cap-talk