W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: Security Requirements for HTTP, draft -00

From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Mon, 28 Jan 2008 22:27:21 +0100
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: ietf-http-wg@w3.org
Message-ID: <20080128212721.GA8742@sources.org>

On Mon, Jan 28, 2008 at 08:47:46AM -0800,
 Paul Hoffman <paul.hoffman@vpnc.org> wrote 
 a message of 59 lines which said:

> I strongly suspect that if you add up all the authentications done
> on every HTTP server in the world today, forms+cookies+people would
> win over ((nonforms+people) + (nonforms+nonpeople)).

May be, it depends on the metrics you use :-) Number of installations,
number of requests per day, number of US $ processed ? :-)

My personal impression is that it is either forms+people or
nonforms+nonpeople and the rest is marginal.

What do other people think? I was extremely surprised that "nonpeople"
uses of HTTP were, it seems, ignored from the version -00.

> The sentence is about reusability, not general danger. The
> reusability comes directly from the attacker being able to see the
> Basic credential go by.

No, it comes from the credential being static. If you use OTP, surely
it does not matter if the attacker can see "the credential go by"?
> Section 2.4 is explicly about "Web Services", not REST and the like. 

Well, in that case, I have to ask for the I-D to provide a definition
for Web Services (I'm myself lost in the marketing talk). But it would
be a strange definition if it excludes REST.
Received on Monday, 28 January 2008 21:28:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC