Re: httpy:// Ben Laurie (ben@algroup.co.uk)
Mon, 15 May 2000 10:27:06 +0100

Tyler Close wrote:
>
> Ben Laurie wrote:
> > Aren't the resulting URLs going to be signed by the owner
> > of the URI,
> > and hence unforgeable?
>
> No, they are not signed. URLs can be made unforgeable by putting a
> SwissNumber in them.

Eh? Doesn't that make them unguessable?

> The only reason to sign something is if you want to provide offline
> verification of authenticity, or non-repudiation. I can't think of any
> scenarios in which I'd want to verify the authenticity of a URI
> offline. It's so much easier to just click on it.

Unless you have a reverse mapping embedded in the response to the URL fetch, clicking on it doesn't verify its correctness, only its existence. i.e. what I'm saying is you need a defence against mallet finding that perverting URI mapping uri:A -> url:B to map uri:A -> url:C instead, where url:C is a working URL, has a useful effect.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html