[cap-talk] network level designation and authorization
smagi at naasking.homeip.net
Thu Jun 8 14:37:02 EDT 2006
Stiegler, Marc D wrote:
> Another point about a YURL that is worth noting. Suppose one breaks or
> steals a YURL. The typical YURL carries only a little authority (like
> the authority to edit a single web page). Such a break is a tiny thing
> compared to the penetration of a VPN connection. A YURL-based network of
> connections has a larger number of weaker authorizations.
Subject to the application/service design. If the application is
designed such that the transitive closure of all links reachable from
that one leaked link is the set of all links in the application/service
(at least for the "user" who "owned" that link), then that's just as
disastrous as giving away the username+password in a traditional app.
So YURLs gain you no security advantage in this case, except that it's
more effort to design such a "wide-open" application in the web-calculus
than it currently is with standard-issue web frameworks.
More information about the cap-talk