Re: 3 Proposals: session ID, business-card auth, customer auth

Roy Fielding (
Wed, 19 Jul 1995 21:53:36 -0400

Dale writes:

>I'm getting uncomfortable that you are attaching
>your policy to technical capabilities. The information
>provider and the customer should negotiate policy. The system should
>have every capability that's possible and practical in such an arrangement.

Sorry, that's not always a valid argument. Those of us that are engineers
have an ethical duty to design systems such that the user is protected.
There are quite a few technical possibilities that most users and most
information providers are not aware of, and it isn't practical to teach
them prior to an exchange of information. Our job is to ensure that
systems are designed to allow both functionality *and* safety.

>The Web is going to have a hard time if its designers believe
>they can implement a certain kind of policy by making it
>impossible for two parties to trade information reliably
>and efficiently.

I don't think that was under consideration -- it is not what is
traded, but how it is traded. The user must be prompted and in
control of any transaction.

....Roy T. Fielding Department of ICS, University of California, Irvine USA
Visiting Scholar, MIT/LCS + World-Wide Web Consortium
( (