Hi Andreas,
  Is it possible to allow just web services to create policies prior to
resource's actual creation? [I mean 
using some token of theirs identifying them as web services and not
using other users' tokens]
If one attempts a DOS attack you can just disable the attacker's account
or if one creates policies in an
unexpectedly large frequency you can block the account for some time. It
would be more convenient if
we removed such a restriction.

Note: This is not an objection, it would be just easier to me to go
without this restriction.

Best regards,
Pantelis


On Mon, 2010-06-28 at 13:28 +0200, Andreas Maunz wrote:

> Dear all,
> 
> I propose to make the A&A policy webservice more secure by checking 
> availability of resource URIs at policy upload time.
> This is to tackle the issue of "pre-registration", i.e., to stop an 
> attacker from registering arbitrary "promising" resource URIs (not under 
> his control), by enforcing that every URI in a policy is actually reachable.
> Being "reachable" means that the webservice at the corresponding URI 
> reacts by returning an arbitrary return code other than "404 (not found)".
> If nothing speaks against that I will add the functionality within the 
> next few days. Please tell me, if you hold a different view on the issue.
> 
> Best regards
> Andreas
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>