W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: I-D Action:draft-ietf-httpbis-security-properties-01.txt

From: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Sat, 15 Mar 2008 16:49:33 -0700
Message-Id: <p0624080cc40210d03d9b@[10.20.30.162]>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, ietf-http-wg@w3.org

I think both of these additions (with some edits) are a good way to 
acknowledge the use of client certificates for HTTP-over-TLS.

--Paul Hoffman

At 11:09 PM -0400 3/13/08, Stephane Bortzmeyer wrote:
>On Fri, Feb 22, 2008 at 09:58:34AM -0800,
>  Internet-Drafts@ietf.org <Internet-Drafts@ietf.org> wrote
>  a message of 20 lines which said:
>
>>	Title           : Security Requirements for HTTP
>>	Author(s)       : P. Hoffman, A. Melnikov
>>	Filename        : draft-ietf-httpbis-security-properties-01.txt
>
>This draft has a section on TLS, 2.5, which is quite short :-)
>
>I suggest, after or before 2.2:
>
>2.x TLS authentication
>
>For the humans, long after form+cookies, TLS [RFC4346] is certainly
>the most common way to authenticate a Web client. For the robots, this
>technique is common, too.
>
>Most actual deployments of client authenticatiuon use a custom PKI,
>and user certificates directly distributed by this PKI. X509
>hierarchies starting from a "widely known" CA are less common. For
>instance, the tax submission system in France allowed last year X
>[TODO: check the actual value] millions of users to submit their tax
>data after authentication with a certificate delivered by the
>governement.
>
>And, in 2.5:
>
>TLS, besides its use for client and/or server authentication, is also
>very commonly used to protect the confidentiality and integrity of the
>HTTP session. For instance, both HTTP Basic authentication and Cookies
>are often protected against snooping by TLS.
>
>It should be noted that, in that case, TLS does not protect against a
>breach of the credential store at the server or against a keylogger or
>phishing interface at the client. TLS does not change the fact that
>Basic Authentication passwords are reusable and does not address that
>weakness.
Received on Saturday, 15 March 2008 23:51:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:37 GMT