W3C home > Mailing lists > Public > www-tag@w3.org > April 2006

Re: IETF documents - action item from TAG meeting.

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Mon, 3 Apr 2006 16:41:55 -0700
Message-Id: <178962F0-A307-43BE-ABBE-F1AACADC2EEC@yahoo-inc.com>
Cc: <www-tag@w3.org>
To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>


On 2006/04/03, at 1:55 PM, Rice, Ed (ProCurve) wrote:
>
> SASL in HTTP/1.1
> <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt>

As I understand it (the document is very complex), this effectively  
ties the authentication session to the HTTP connection, which breaks  
the layering of HTTP and introduces a big security hole; e.g., a SASL- 
naive proxy that mux's connections from several clients can interlace  
requests from client A into the request stream of client B to server  
S, effectively giving A's credentials to B.

See 4.7.1 Example 1, towards the end where the client re-tries the  
original request once the auth negotiation takes place.

I've made this comment previously to the authors, apparently to no  
avail.

--
Mark Nottingham
mnot@yahoo-inc.com
Received on Monday, 3 April 2006 23:43:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:39 GMT