W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: I-D Action:draft-ietf-httpbis-security-properties-01.txt

From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Thu, 13 Mar 2008 23:09:03 -0400
To: ietf-http-wg@w3.org
Message-ID: <20080314030903.GA20286@laperouse.bortzmeyer.org>

On Fri, Feb 22, 2008 at 09:58:34AM -0800,
 Internet-Drafts@ietf.org <Internet-Drafts@ietf.org> wrote 
 a message of 20 lines which said:

> 	Title           : Security Requirements for HTTP
> 	Author(s)       : P. Hoffman, A. Melnikov
> 	Filename        : draft-ietf-httpbis-security-properties-01.txt

This draft has a section on TLS, 2.5, which is quite short :-)

I suggest, after or before 2.2:

2.x TLS authentication

For the humans, long after form+cookies, TLS [RFC4346] is certainly
the most common way to authenticate a Web client. For the robots, this
technique is common, too.

Most actual deployments of client authenticatiuon use a custom PKI,
and user certificates directly distributed by this PKI. X509
hierarchies starting from a "widely known" CA are less common. For
instance, the tax submission system in France allowed last year X
[TODO: check the actual value] millions of users to submit their tax
data after authentication with a certificate delivered by the
governement.

And, in 2.5:

TLS, besides its use for client and/or server authentication, is also
very commonly used to protect the confidentiality and integrity of the
HTTP session. For instance, both HTTP Basic authentication and Cookies
are often protected against snooping by TLS.

It should be noted that, in that case, TLS does not protect against a
breach of the credential store at the server or against a keylogger or
phishing interface at the client. TLS does not change the fact that
Basic Authentication passwords are reusable and does not address that
weakness.
Received on Friday, 14 March 2008 12:18:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:37 GMT