W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Security considerations from RE-AUTHENTICATION-REQUESTED

From: Jim Gettys <jg@pa.dec.com>
Date: Thu, 12 Feb 1998 13:44:01 -0800
Message-Id: <9802122144.AA28991@pachyderm.pa.dec.com>
To: http-wg@cuckoo.hpl.hp.com
I've pulled Paul's proposal from Rev-02 for RE-AUTHENTICATION-REQUESTED
per the discussion in Washington and the mailing list.  The lack
of this facility does need discussion in the Security Considerations
section, however.  So I had an editorial task to generate such a section.

Here's my crack at drafting such a section.  Comments welcome (for a short
while, anyway...).
				- Jim

15.6 15.6 Authentication Credentials and Idle Clients

Existing HTTP clients typically retain authentication information 
indefinately. HTTP/1.1 lacks a facility to force reauthentication of clients, 
which may have been idle for extended periods, by an origin server or 
a proxy. This is considered a significant defect that requires further 
additions to HTTP, and is under separate study. There are a number of 
work-arounds to parts of this problem, and we encourage the use of password 
protected screen savers on idle clients to mitigate some of the resulting 
security problems.
Received on Thursday, 12 February 1998 13:47:05 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:12 EDT