W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: Security Requirements for HTTP, draft -00

From: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Mon, 28 Jan 2008 13:46:23 -0800
Message-Id: <p06240818c3c3fccb85e3@[]>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: ietf-http-wg@w3.org

At 10:27 PM +0100 1/28/08, Stephane Bortzmeyer wrote:
>On Mon, Jan 28, 2008 at 08:47:46AM -0800,
>  Paul Hoffman <paul.hoffman@vpnc.org> wrote
>  a message of 59 lines which said:
>>  I strongly suspect that if you add up all the authentications done
>>  on every HTTP server in the world today, forms+cookies+people would
>>  win over ((nonforms+people) + (nonforms+nonpeople)).
>May be, it depends on the metrics you use :-) Number of installations,
>number of requests per day, number of US $ processed ? :-)

Number of requests per day.

>My personal impression is that it is either forms+people or
>nonforms+nonpeople and the rest is marginal.

Fully agree.

>What do other people think? I was extremely surprised that "nonpeople"
>uses of HTTP were, it seems, ignored from the version -00.

Ignored in what way?!?! The security implications of Basic and Digest 
were fully covered.

>  > The sentence is about reusability, not general danger. The
>>  reusability comes directly from the attacker being able to see the
>>  Basic credential go by.
>No, it comes from the credential being static.

No, it comes from the credential being static *and visible to an attacker*.

>If you use OTP, surely
>it does not matter if the attacker can see "the credential go by"?

Correct. Which HTTP authentication standard is for OTP? If we missed 
one, we should certainly cover it.

>  > Section 2.4 is explicly about "Web Services", not REST and the like.
>Well, in that case, I have to ask for the I-D to provide a definition
>for Web Services (I'm myself lost in the marketing talk). But it would
>be a strange definition if it excludes REST.

We'll see. :-)

--Paul Hoffman, Director
--VPN Consortium
Received on Monday, 28 January 2008 21:46:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC