On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees <[email protected]> wrote: > The only complaint I know of regarding UM is that it is so complicated > to use in practice that it will not be as enabling as CORS
Actually, Tyler's UM protocol requires the user to confirm message 5 to prevent a CSRF attack. Maciej's CORS version of the protocol requires no such user confirmation. I think it's safe to say that asking the user to confirm security-critical operations is not a good approach. > Regarding the idea that UM is unproven or undeployed - I think this is > a peculiar charge given that object-oriented programming dates from > 1967, and actors date from 1973; and current use of the capability > pattern, for example in email list validation, shared calendar access > control, and CSRF defense (Mark can probably provide many other and > better examples), *is* something we can build on. Ocaps have been > essentially unchanged for 40 years, with essentially no elaboration or > revision despite heavy stress testing. AFAIK the academic and > practical security communities have not converged on any distributed > (i.e. multilateral) access control system *other* than capabilities. You're really overstating your case to the point where it's ridiculous. Adam
