W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WGLC issue: "Realms and scope" in p7

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 22 Mar 2012 10:55:08 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <4F312B10-9137-4126-A6A8-9348A1C13A68@mnot.net>
To: Martin Thomson <martin.thomson@gmail.com>
Now <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/348>.


On 16/03/2012, at 2:39 PM, Martin Thomson wrote:

> There's an implicit acknowledgement that one resource does not know
> about another (from p3):
> 
>   A cache cannot assume that a representation with a Content-Location
>   different from the URI used to retrieve it can be used to respond to
>   later requests on that Content-Location URI.
> 
> However, the mechanism we use (and rely upon for performance) from p7
> makes no concessions on that point.  A server that operates separate
> fiefdoms by allocating different portions of path-space cannot prevent
> one vassal state from learning the secrets of any other that uses
> these authentication mechanisms we so love to hate.
> 
> For instance, if "/kind/and/naive" is authenticated in the realm
> "puppies", then "/kinda/shifty" can harvest their authentication
> information if a logged in user agent navigates there. See "log out"
> discussion for exacerbating stuff.  User agents don't know (or care)
> for this distinction.
> 
> Of course, this is all pretty obvious, but is this worth acknowledging
> in Section 6?
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 21 March 2012 23:55:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT