[cap-talk] Webkeys vs. the web

Chip Morningstar chip at fudco.com
Tue Mar 31 15:21:54 EDT 2009

"Karp, Alan H" <alan.karp at hp.com> wrote:

>>> But if this was a webkey system, it wouldn't *have* that link.
>>It *shouldn't* have that link.
>Your comment got me thinking.  That link was probably on the page because the
>page was constructed dynamically based on context.  If I had sent the URL for
>the page to you, the link wouldn't have been there because you wouldn't have
>been logged in to my account.  In fact, if you were logged into your account,
>then maybe the link to your account would have appeared where I saw the link
>to mine.
>That observation may lead to the solution to Chip's problem.  If what appears
>on a page can be tied to the path used to reach it, it should be safe to put
>on a page a link to any page that the user traversed on the path to that page.

That's true as long as the user has traversed through a chain of non-public
links to a page with an unguessable URL.  However, the particular problem I was
posing had to do with the transition from a page whose URL could be expected to
be known.


More information about the cap-talk mailing list