On 2006/04/03, at 1:55 PM, Rice, Ed (ProCurve) wrote: > > SASL in HTTP/1.1 > <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt> As I understand it (the document is very complex), this effectively ties the authentication session to the HTTP connection, which breaks the layering of HTTP and introduces a big security hole; e.g., a SASL- naive proxy that mux's connections from several clients can interlace requests from client A into the request stream of client B to server S, effectively giving A's credentials to B. See 4.7.1 Example 1, towards the end where the client re-tries the original request once the auth negotiation takes place. I've made this comment previously to the authors, apparently to no avail. -- Mark Nottingham mnot@yahoo-inc.comReceived on Monday, 3 April 2006 23:43:02 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 September 2008 07:02:10 GMT