W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: additional mechanisms on top of the auth framework, was: SECDIR review of draft-ietf-httpbis-p7-auth-24

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 31 Oct 2013 16:17:57 +0100
Message-ID: <527274A5.9030009@gmx.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>, Julian Reschke <julian.reschke@greenbytes.de>
CC: Stephen Kent <kent@bbn.com>, secdir <secdir@ietf.org>, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Mankin, Allison" <amankin@verisign.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2013-10-31 16:05, Bjoern Hoehrmann wrote:
> * Julian Reschke wrote:
>> On 2013-10-31 15:44, Bjoern Hoehrmann wrote:
>>> I think doing s/encryption/authentication/ instead would be better.
>>> There is no reason to discuss confidentiality here. Encryption and other
>>> cryptographic techniques are used in many authentication schemes, like
>>> with client certificates; that may have been the idea behind the text.
>>
>> "authentication on the transport layer"?
>
> Applying my suggestion would make the text read,
>
>     The HTTP protocol does not restrict applications to this simple
>     challenge-response framework for access authentication. Additional
>     mechanisms MAY be used, such as authentication at the transport
>     level or via message encapsulation, and with additional header fields
>     specifying authentication information. However, such additional
>     mechanisms are not defined by this specification.
>
> (The MAY might be better as "can".)

"HTTP does not restrict applications to this simple challenge-response 
framework for access authentication. Additional mechanisms can be used, 
such as authentication at the transport level or via message 
encapsulation, and with additional header fields specifying 
authentication information. However, such additional mechanisms are not 
defined by this specification."

WFM.

>> That wouldn't cover Basic auth (plain text passwords) over https:, which
>> I think this paragraph is hinting at...
>
> Transport Layer Security client certificate authentication is an
> additional authentication mechanism at the transport level that
> implementations of HTTP actually use. Basic authentication is just

Indeed.

> the basic application of the challenge-response framework defined
> in the document, so your interpretation seems unlikely.
>
> It might be a good idea to point out that authentication does not
> imply confidentiality and that TLS can be used for confidentiality,
> but that should be in a separate paragraph.

Maybe. Text welcome :-)

Best regards, Julian
Received on Thursday, 31 October 2013 15:18:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC