- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 27 Nov 2006 13:49:18 +0100
- To: Cullen Jennings <fluffy@cisco.com>
- CC: Lisa Dusseault <lisa@osafoundation.org>, WebDav WG <w3c-dist-auth@w3.org>
Cullen Jennings schrieb: > > Hi - Julian - stuff inline. I'm sending this with my Webdav Chair hat on > ... Lisa and I did talk about this before and I have have have > conversations with security area folks and ADs on this topic. > ... > I think this referred to the description of a *server* sending > credentials with Basic - that was wrong the only way a server > authenticates itself is with TLS. This was fixed by moving "credential" > to "challenges" - I think this was the original intent and this was > just a mistake in getting the words down. OK, that's an editorial fix. Good. >> (2) please clarify where there was a prior discussion about changing >> the security requirements (at this stage, if I may add...). > > The only thing of relevance that seems to has changed here is removal of > the words around "or connection over a network which is physically > secure, for example, an isolated network in a building with restricted > access". The draft did not provide a way for a client or server to > detect that the complete network connection was secure in this form - in > general it does not seem that there is a way for to reliably detect that > the complete end to end connection is secure so I did not bother to ask > the WG to try and add this. There are many long threads on this topic > but the bottom line is that general IETF view is that sending passwords > over an unencrypted link like this causes more harm that the cost of > doing digest. If we want to change that, we would need to go make that > argument somewhere in the security area not in the webdav WG. Well, no. Before, the specification allowed *any* kind of secure connection, and listed TLS and a network with restricted access as *examples*. This is why we didn't need a normative reference to TLS after all. Now, Basic Auth MUST use TLS, which is a new requirement, that definitively hasn't been discussed here before. Personally, I would propose not to mess with this section unless there's something clearly wrong with it. >> Please also note that this would introduce a normative dependency on >> TLS, for which we'd need a reference. > > Yes you are right - we depend in a normative way on TLS and need the > reference. I will work with Lisa on sorting this out. Note that servers > can be complaint servers without implementing or deploying TLS, they > just need to use digest instead of basic. Well, maybe we should start eating our own dogfood then? Both http://www.webdav.org and http://ietf.osafoundation.org/ allow Basic Authentication over HTTP, after all. Best regards, Julian
Received on Monday, 27 November 2006 12:49:33 UTC