W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

Re: Draft -16 out now

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 27 Nov 2006 13:49:18 +0100
Message-ID: <456ADECE.4090502@gmx.de>
To: Cullen Jennings <fluffy@cisco.com>
CC: Lisa Dusseault <lisa@osafoundation.org>, WebDav WG <w3c-dist-auth@w3.org>

Cullen Jennings schrieb:
> 
> Hi - Julian - stuff inline. I'm sending this with my Webdav Chair hat on 
> ... Lisa and I did talk about this before and I have have have 
> conversations with security area folks and ADs on this topic.
> ...
> I think this referred to the description of a *server* sending 
> credentials with Basic - that was wrong the only way a server 
> authenticates itself is with TLS. This was fixed by moving "credential" 
> to "challenges"  - I think this was the original intent and this was 
> just a mistake in getting the words down.

OK, that's an editorial fix. Good.

>> (2) please clarify where there was a prior discussion about changing 
>> the security requirements (at this stage, if I may add...).
> 
> The only thing of relevance that seems to has changed here is removal of 
> the words around "or connection over a network which is physically 
> secure, for example, an isolated network in a building with restricted 
> access". The draft did not provide a way for a client or server to 
> detect that the complete network connection was secure in this form - in 
> general it does not seem that there is a way for to reliably detect that 
> the complete end to end connection is secure so I did not bother to ask 
> the WG to try and add this. There are many long threads on this topic 
> but the bottom line is that general IETF view is that sending passwords 
> over an unencrypted link like this causes more harm that the cost of 
> doing digest. If we want to change that, we would need to go make that 
> argument somewhere in the security area not in the webdav WG.

Well, no. Before, the specification allowed *any* kind of secure 
connection, and listed TLS and a network with restricted access as 
*examples*. This is why we didn't need a normative reference to TLS 
after all.

Now, Basic Auth MUST use TLS, which is a new requirement, that 
definitively hasn't been discussed here before.

Personally, I would propose not to mess with this section unless there's 
something clearly wrong with it.

>> Please also note that this would introduce a normative dependency on 
>> TLS, for which we'd need a reference.
> 
> Yes you are right - we depend in a normative way on TLS and need the 
> reference. I will work with Lisa on sorting this out. Note that servers 
> can be complaint servers without implementing or deploying TLS, they 
> just need to use digest instead of basic.

Well, maybe we should start eating our own dogfood then? Both 
http://www.webdav.org and http://ietf.osafoundation.org/ allow Basic 
Authentication over HTTP, after all.

Best regards, Julian
Received on Monday, 27 November 2006 12:49:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT