> I guess you could argue that if you made a random URL and only
distributed it in authenticated channels, then you could allow GETs to it,
using the URL itself as an authenticator.
Yuk.
We have seen too many instances where "guessable" private URL's exposed data
where they shouldn't. I don't think treating URL's as both the content-id and
a security token is the way to go.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
