W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?

From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 4 Jan 2010 00:26:41 +0100 (CET)
To: public-web-security@w3.org
cc: Yutaka OIWA <y.oiwa@aist.go.jp>
Message-ID: <alpine.DEB.2.00.1001040022450.24521@tvnag.unkk.fr>
On Thu, 24 Dec 2009, Yutaka OIWA wrote:

> Our proposed draft spec is available from
>   <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05>.

In general I think this seems like a good idea (even though I've not yet 
studied the details).

What did struck me at once when reading the introduction was the phrase:

    Users can safely input sensitive data to the web forms after confirming
    that the mutual authentication has succeeded.

... but you only authenticated fine, there's no protection against 
eves-droppers in these scheme! A user would only be "safe" to "input sensitive 
data" if the connection is also protected in some other means which is beyond 
the scope of this protocol but still I think the way that is written is 
slightly misleading.

-- 

  / daniel.haxx.se
Received on Sunday, 3 January 2010 23:27:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT