httpy://

Ben Laurie ben@algroup.co.uk
Mon, 15 May 2000 18:00:05 +0100


Tyler Close wrote:
> 
> Ben Laurie responding to me:
> > > The only reason to sign something is if you want to
> > provide offline
> > > verification of authenticity, or non-repudiation. I can't
> > think of any
> > > scenarios in which I'd want to verify the authenticity of a URI
> > > offline. It's so much easier to just click on it.
> >
> > Unless you have a reverse mapping embedded in the response
> > to the URL
> > fetch, clicking on it doesn't verify its correctness, only its
> > existence. i.e. what I'm saying is you need a defence against mallet
> > finding that perverting URI mapping uri:A -> url:B to map
> > uri:A -> url:C
> > instead, where url:C is a working URL, has a useful effect.
> 
> How does mallet effect this perversion?

I don't know. Are you saying he can't? Since you were talking about
untrusted SLSes earlier, I presumed this was easy!

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html