W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Wed, 29 Feb 2012 23:44:30 +0100
Message-ID: <1330555470.24673.106.camel@home.hno.se>
To: Adrien de Croy <adrien@qbik.com>
Cc: ietf-http-wg@w3.org
tor 2012-03-01 klockan 09:09 +1300 skrev Adrien de Croy:
> There is one other thing I would add to auth:
> 
> Ability for a challenger to identify itself, and for a response to 
> target a challenger.

proxy-auth is currently defined hop-by-hop avoiding this mess. But
unfortunately real-life networks is not always that simple.

but security implications of multi-level proxy challenges is tricky to
say the least. There is no guarantee the next request travels the same
path. I would not dare to venture into specifying what such muti-level
challenge/response process with varying path would look like or work or
the security aspects of any such design.

> Adding a parameter to the challenge and response which identifies the 
> challenger would allow for this.

Yes, but opens up a big can of worms as expressed above.

> In fact it would then allow proxy and server auth to use the same 
> mechanism and headers.

Which is one very visible aspect of that big can of worms. You need a
damn good framework defining what may be sent where, and the
possibilities of both security leakage and breakage explodes.

Regards
Henrik
Received on Wednesday, 29 February 2012 22:45:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT