W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>
Date: Wed, 18 Oct 2006 17:08:35 -0700
Message-Id: <F988EB7C-43E5-42C5-A83D-B664BA8CE8CC@wsanchez.net>
To: lists@ingostruck.de, HTTP Working Group <ietf-http-wg@w3.org>

   If I may add a data point, the recently approved CalDAV states  
that a server MUST NOT implement Basic Auth or similar without SSL or  
similar.

   Personally, I think that sort of MUST NOT requirement is bogus,  
and fully intend to ignore it.  More specifically, I do no intend to  
disallow a server admin from configuring the server to allow Basic.   
My server's written in Python, and bypassing any such constraints  
would be trivial in any case.

   There will be zero CalDAV-compliant clients which will fail to  
interoperate with my server as a result of this, so as a practical  
matter, I have no incentive to comply with this requirement.

   It certainly won't be enabled by default, nor would I encourage  
such a config in a production environment, and I wouldn't put it in  
an admin UI.  But if a server admin decides that making Basic work is  
useful, then I'm not getting in the way.  I, for example, use it for  
testing, since SSL is a bit of a bother when using tcpflow.

   For what it's worth, as a client author I'd have a somewhat  
different viewpoint here.  But as a server author, SHOULD NOT makes  
plenty of sense, and MUST NOT strikes me as hard to justify.

	-wsv



On Oct 18, 2006, at 3:19 AM, Henrik Nordstrom wrote:

> ons 2006-10-18 klockan 09:24 +0000 skrev Ingo Struck:
>
>
>> A formulation within an updated http/1.1 document could be
>> that a conforming server implementation MUST NOT use the
>> Basic auth scheme (or equally weak schemes), while clients
>> MAY support it, but if they do they MUST warn the user
>> decidedly -- if this seems to be too restrictive a SHOULD NOT
>> could still suffice.
>
> I would add "without adequate transport level security" to the above.
>
> Exchanges of plain-text passwords is often required for  
> interoperability
> reasons far beyond the HTTP protocol as such. In very many  
> applications
> the server simply MUST know the plain-text password of the user.
>
> The main reason why Digest auth hasn't been widely deployed and most
> still using Basic is because of these reasons. There is not very  
> much as
> such wrong with Digest auth even if there is areas which can be  
> improved
> (and many broken implementations), but in practice it's often  
> completely
> useless as the backend systems doesn't support Digest auth, only other
> proprietary authentication protocols or plain text.
>
> Quite recently there was a standardisation effort which have brought
> Digest auth a bit closer to something deployable by extending RADIUS
> with Digest auth support. Hopefully this will make Digest a more
> available alternative.
>
>
> Regards
> Henrik
Received on Thursday, 19 October 2006 00:09:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT