Re: Re: Cookies at XML Europe 2004 -- Call for Participation

Cart

XML Editor - Download a Free Trial >

See What's New >

Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

To: "jcowan@r..." <jcowan@r...>
Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
From: Rich Salz <rsalz@d...>
Date: Tue, 6 Jan 2004 19:29:21 -0500 (EST)
Cc: "xml-dev@l..." <xml-dev@l...>
In-reply-to: <20040106225031.GG18224@s...>

> > Good security requires state.
>
> I don't understand this.  _Efficient_ security may require state, but
> using a distinct and unpredictable session key for every stateless
> transaction is surely entirely secure.

First, good security is efficient security.  Second, in order to securely
exchange session keys, you have to use the "login key" of the parties.
This means the login key (e.g., private key, or passphrase-to-3DESkey)
has to be available for every transaction.  This means its exposed more.
This means it's less secure.

It would be as if the Unix shell required you to enter you password each
time you entered a command line.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

References:
- Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: jcowan@r...

Prev by Date: RE: Another mutated variant of the 'PowerPoint makes yo udumb' story
Next by Date: Re: wacky XML
Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
Next by thread: RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
Index(es):
- Date
- Thread

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >