(Replying to PARENT post)
Thank you for the answer, I didn't know about these Capability URLs.
It's kind of security by obscurity I think. Still, if somehow somebody else gains access to a Capability URL, it cannot be considered an unlawful act. He could even claim that he was lucky enough to type a URL, which by coincidence gave him access to somebody else's personal data.
๐คkrackout๐3y๐ผ0๐จ๏ธ0
(Replying to PARENT post)
> although you should NOT! use a UUID, only the format or better something else
Why? Even the document you linked recommends using them...
๐คgpas๐3y๐ผ0๐จ๏ธ0
(Replying to PARENT post)
Yes, the URL is on the public net, but unknown for everyone aside from you.
> Can it really be considered safe, a public URL; just because it's long
Yes: https://www.w3.org/TR/capability-urls/
Depends on the implementation of course. Many use the format of a UUID like this: 07463cd8-3f1f-11ed-b878-0242ac120002, although you should NOT! use a UUID, only the format or better something else.
But it is considered safe provided the link is only valid for a limited time (3 months should still be ok).
This mechanism should regularly be reevaluated though. It is especially security mechanisms that can compromise it. Corporate mail & firewall security will see the link, might log it somewhere where it can be exposed, etc.
But the fundamental mechanism is considered to be secure.
edit: The requirements for it to be secure are that mail and http access is secured by TLS of course.