[MOBY-l] Re: [MOBY-dev] lease versus agent for registry updating

Phillip Lord p.lord at cs.man.ac.uk
Wed Aug 17 10:23:18 UTC 2005 

>>>>> "Martin" == Martin Senger <senger at ebi.ac.uk> writes:

  Martin> Hi all,
  Martin>    Everybody is talking about lease and agents so if I do
  Martin>    not join I would
  Martin> feel like a pariah...
  Martin>    What was the original problem that started this
  Martin>    discussion? I remember
  Martin> two:
  Martin> a) How to make a deregistration secure (so nobody can easily
  Martin>       remove my
  Martin> service from a registry), and
  Martin> b) How I can remove my service registration at any time when
  Martin>       I *want*
  Martin> to do it.
  Martin>    Am I right - is this (at least) the problems we are
  Martin>    trying to solve? (I
  Martin> understand that during this discussion a new problem was
  Martin> born - how to test that a service is reliable; but I
  Martin> consider it as a separate issue.)

  Martin>    Obviously problem b) requires an action on my side.  In
  Martin>    case of agent it is a removal of an RDF document - and
  Martin>    hopefully
  Martin> supported by a new method in the registry API calling an
  Martin> agent to come to me *now*. This new API call was mentioned
  Martin> and I hope it will happen. 


Actually, there is a minor security problem here. If I call this
method repeatedly and it really happens *now*, then I can use
moby-central as a proxy to launch a denial of service attack on a
third party. If I did this on NCBI, for example, it might have
interesting repercussions for who ever is hosting the moby-central. 

  Martin> Without it the agent solution is weak (IMHO) - having the
  Martin> similar weakness as Google has with non existing
  Martin> links/documents (oh, wow, now I really feel like a pariah by
  Martin> saying that Google has a weakness!)
  Martin>    In case of lease - is there a concept of making a lease
  Martin>    to expire
  Martin> before its planned end? If so, how is it done that nobody
  Martin> else can do it except me (problem a))?

Not really sure on this one, to be honest. Clearly, you can just set
up a short lease in the first place. Alternatively, you pass back some
magic cookie when the lease is taken out in the first place, that is
required for deregistration. This enables deregistration to be done
from anywhere, rather than through direct control of the RDF URL, but
still only by the originator. 

The ideal would, of course, to have some off the shelf library for
doing leases. 

  Martin>    Can you, Phill perhaps, explain me if the lease can solve
  Martin>    my two
  Martin> problems above? So far I understand that an agent can -
  Martin> assuming tghat there will be that new API call (Mark, Eddie,
  Martin> will this be - in case the agent idea is accepted?)



Does this make sense? 

Phil

More information about the moby-l mailing list