- From: Paul Hoffman <paul.hoffman@vpnc.org>
- Date: Sat, 15 Mar 2008 16:49:33 -0700
- To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, ietf-http-wg@w3.org
I think both of these additions (with some edits) are a good way to acknowledge the use of client certificates for HTTP-over-TLS. --Paul Hoffman At 11:09 PM -0400 3/13/08, Stephane Bortzmeyer wrote: >On Fri, Feb 22, 2008 at 09:58:34AM -0800, > Internet-Drafts@ietf.org <Internet-Drafts@ietf.org> wrote > a message of 20 lines which said: > >> Title : Security Requirements for HTTP >> Author(s) : P. Hoffman, A. Melnikov >> Filename : draft-ietf-httpbis-security-properties-01.txt > >This draft has a section on TLS, 2.5, which is quite short :-) > >I suggest, after or before 2.2: > >2.x TLS authentication > >For the humans, long after form+cookies, TLS [RFC4346] is certainly >the most common way to authenticate a Web client. For the robots, this >technique is common, too. > >Most actual deployments of client authenticatiuon use a custom PKI, >and user certificates directly distributed by this PKI. X509 >hierarchies starting from a "widely known" CA are less common. For >instance, the tax submission system in France allowed last year X >[TODO: check the actual value] millions of users to submit their tax >data after authentication with a certificate delivered by the >governement. > >And, in 2.5: > >TLS, besides its use for client and/or server authentication, is also >very commonly used to protect the confidentiality and integrity of the >HTTP session. For instance, both HTTP Basic authentication and Cookies >are often protected against snooping by TLS. > >It should be noted that, in that case, TLS does not protect against a >breach of the credential store at the server or against a keylogger or >phishing interface at the client. TLS does not change the fact that >Basic Authentication passwords are reusable and does not address that >weakness.
Received on Saturday, 15 March 2008 23:51:55 UTC