httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: More news
Date Thu, 24 Aug 1995 20:23:23 GMT
   Date: Thu, 24 Aug 1995 11:16:36 -0400
   From: Roy Fielding <fielding@beach.w3.org>
   Precedence: bulk
   Reply-To: new-httpd@hyperreal.com

   Please let me know what you think and I'll shape the answers
   into a respectable reply.

A little more info:

I've looked the guy's stuff over.  As near as I can tell, what they
have is a server which has been hacked to do (plain HTTP basic)
authentication using a (proprietary?) distributed database as a back
end, instead of a fixed set of config files; it also apparently logs
sufficient information to do back-end billing (per page), and handles
at least some of that automatically --- in particular, it has the
clients' credit card numbers --- and makes some profile information
(somehow) available to the the content provider (or their CGI
scripts?) with the request.

The stuff I was able to find left me with both technical and legal
questions about the system.

First the technical stuff --- because the docs (at least the ones I
found) were so sparse on technical information, it really isn't
possible to say how secure the billing information really is as it
travels over the wires (the pages say they've thought about this, but
not what the conclusions were --- I can't even tell if the server
*itself* doesn't know the client's name, or whether they're counting
on trusted servers not to give that information away to providers'
scripts; that latter part's a bad bet if a rogue provider has the
source code.  That's not to say that they made this mistake, of
course, just to say that I can't tell whether they did or not).

Another thing I can't assess is the nature of the API he mentions ---
is it just a few extra variables which are made available to CGI
scripts (something easily done in an Apache module), or something more
sophisticated, and harder to integrate?

Legally, there are two things unclear --- whether the guy intends to
keep any intellectual property stake in the one-off protocols used by
the database, and also, more tenuously, what legal issues may exist in
terms of purchase over the Internet.

That doesn't say anything yet about what to do about this; I still
have no good ideas, and I'm not sure I *could* come to further
conclusions without more data.  Sigh...

rst

Mime
View raw message