W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC #348: Realms and scope

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 31 May 2012 23:04:30 +0900
Message-ID: <CAMeZVwup4XhLOc_G5ggVSGgbDiu9HbiPBbePvxwrp8XCWZD3DQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
+1

If more comments are to be added,
it is important especially when it uses a cleartext credential (e.g. Basic).

2012/5/31 Mark Nottingham <mnot@mnot.net>:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/348>
>
> Proposal -
>
> New section in p7 Security Considerations:
>
> """
> 6.2 Protection Spaces
>
> Authentication schemes that use the "realm" mechanism for establishing a protection space will expose credentials to all resources on a server. This makes it possible for a resource to harvest authentication credentials for other resources on the same server.
>
> This is of particular concern when a servers hosts resources for multiple parties. Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content of the Authorization request header available), and separating protection spaces by using a different hostname for each party.
> """
>
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>



-- 
Yutaka OIWA, Ph.D.              Leader, Software Reliability Research Group
                             Research Institute for Secure Systems (RISEC)
   National Institute of Advanced Industrial Science and Technology (AIST)
                     Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Thursday, 31 May 2012 14:05:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 31 May 2012 14:05:31 GMT