[cap-talk] solve CSRF by making references unforgeable, not unshareable
Sam Mason
sam at samason.me.uk
Thu Apr 2 11:08:36 EDT 2009
On Thu, Apr 02, 2009 at 02:23:57AM +0100, David-Sarah Hopwood wrote:
> Sam Mason wrote:
> > surely that's why it's the "asymptotic complexity" and not
> > worst case analysis.
>
> I think you're confusing "asymptotic" with "average-case".
Indeed I was!
> In any case, IMHO the choice of representation can safely be left to
> individual cap system implementors, who will have a better knowledge of
> how the lookup cost, and other consequences of the representation, are
> affected by implementation details of their system.
Yes it should be; I thought I was missing some implementation detail
that made using some sort of index and other state (password?) scheme
inherently better from an implementation point of view than using some
sparse random identifier as I'd always played around with before.
I think I've come to the conclusion that they're different, but not by
much and you'd have to know a lot of system specific details before it
was obvious which way was "better".
--
Sam http://samason.me.uk/
More information about the cap-talk
mailing list