W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2006

Re: Mount considerations

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 23 May 2006 20:42:35 +0200
Message-ID: <4473579B.5000604@gmx.de>
To: Lisa Dusseault <lisa@osafoundation.org>
CC: WebDav WG <w3c-dist-auth@w3.org>

Lisa Dusseault schrieb:
>> The username (optionally) is sent in the content from server to client 
>> (see 
>> <http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html#ELEMENT_username>). 
>> In general, this is the user name that was used to authenticate to the 
>> Web site in the first place, so I'm not sure why sending it back to 
>> the client is any kind of security risk?
> 
> It's not obvious at all to me that the username I use to download the 
> mount document is the same one my client used to authenticate to get the 
> document.   That implies that the document is dynamically generated, 
> always.   That makes it harder to deploy in some cases.

Well, it depends on the use case. In general, I would expect it to be 
either dynamically generated, or not to have the username in it.

>> I'm not sure what kind of information you're referring to here. Please 
>> be more specific...
> 
> Given my assumption that the username could be the one the client is 
> using or some *other* username, there is at least a possibility of 
> information leaking here.

As there is with any other document type. I'm not sure where the 
security risk is here. That somebody can find out about usernames? These 
things also show up in lock properties, ACL properties, HTML content, 
whatnot...

Best regards, Julian
Received on Tuesday, 23 May 2006 18:42:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:14 GMT