On 8/21/06, Ed Bindl <[EMAIL PROTECTED]> wrote:
1.2 Ticket ID Scheme
The only condition imposed on ticket IDs is that the ticket ID MUST
be unique on a resource at any given time. However, since the ticket
ID is used as proof that a principal is in possession of the ticket,
a server SHOULD select a ticket ID scheme such that it would be
sufficiently difficult for an adversary in a way to guess or predict
a ticket ID.
that doesn't preclude my suggestion.
Another point that we are not considering is that Tickets can be
limited on how long they are valid and how many uses they allow.
This may allow for people that are concerned with others passing
along there URL with the ticket enclosed to put a shorter timeout on
the ticket, or possibly only issue 1 time use tickets (Limited use
tickets are currently not supported by cosmo).
yea, but those features don't support long term sharing very well.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Open Source Applications Foundation "Design" mailing list
http://lists.osafoundation.org/mailman/listinfo/design
