W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 11 Jun 2007 06:17:52 +0200
To: Keith Moore <moore@cs.utk.edu>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1181535472.3389.84.camel@henriknordstrom.net>
sön 2007-06-10 klockan 23:33 -0400 skrev Keith Moore:

> ah, but what's the reason for all of those implementation-imposed
> constraints?
[in Digest]

Lack of a test suite allowing implementers to verify their
implementation?

Lack of general interest in having a reasonably secure authentication
mechanism?

Web authors considering look & feel much more important than security,
and not willing to ask for the ability to have both as forms + cookies
accomplishes their goal of getting the look & feel they want?

Digest being different than the other authentication mechanisms, and
therefore a bit of a pain to integrate into existing systems, requiring
a different password store or alternatively access to plaintext?  (a
problem shared with all secure authentication methods)

If not that I am not sure.. the most common implementation bugs are

  - Use of the wrong request method on non-GET requests

  - Omitting the query parameters from the Request-URI

  - Random client nonce-count sequences, including repeated use of the
same nonce-count.

  - md5-sess often broken, for example using wrong nonces.

  - Incorrect escaping (partly a specification issue).

And the most common shortcomings are

  - Not implementing qop at all (i.e. obsolete RFC2069 level of
implementation)

  - Not implementing nonce-count at all, requesting a new challenge from
the server on each request.

  - Not implementing -int qop.

And of HTTP authentication in general:

  - Web authors not given any influence on the user interface for the
login step.

  - Lack of any server controlled session control. Logout or idle
timeouts.

Regards
Henrik

Received on Monday, 11 June 2007 04:18:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT