Transitive authorization
I want to grant you access to a link to something on the web that is protected. It requires authentication so I send you a username and password because I trust you. I trust you that you will only transmit this sensitive info to someone you trust as well.
So I send you this:
site: http://somesite.com/somepage
username: yourusername
password: yourpassword
On the rest-discuss mailing list, there is a thread that poped up suggesting that URLs can be used to protect resources. As one suggested in this thread, this scheme is counterintuitive, since the dependence on secret URLs smells like security through obscurity, but this is not the case. The URL is made up of a key that can not be guessed. For example, instead of sending you the above info, I would email you this URL:
http://somesite.com/puqjiq25fjqre67paoc7omi3iynbdw62
This URL is much more difficult to guess than the site/username/password combinaison as the URL is machine generated, as opposed to the username and password. In both cases, I can revoke access to the resource if you do something stupid.
This is a cool and simple idea.
The discussion in the rest-discuss mailing list is at http://groups.yahoo.com/group/rest-discuss/message/5228 . The site where this idea is implemented is at https://yurl.net/id/home.
