Mark Nottingham wrote: > >On 2006/04/03, at 1:55 PM, Rice, Ed (ProCurve) wrote: >> >> SASL in HTTP/1.1 >> <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt> > > As I understand it (the document is very complex), this effectively > ties the authentication session to the HTTP connection, which breaks > the layering of HTTP and introduces a big security hole; I haven't read the SASL in HTTP document, but there's already been a lot of integration and security trouble caused by Microsoft NTLM authentication, which is also tied to the HTTP connection. <http://www.modsecurity.org/archive/amit/ntlm_http_authentication_is_insecure_by_design.txt> Regarding HMAC Digest, there's a new version coming soon. A more stable URI to track the document is available from ISOC: <http://ietfreport.isoc.org/idref/draft-sayre-http-hmac-digest/> Coincidentally, Amazon's S3 Web storage service recently deployed a proprietary authentication scheme that's very similar to HMAC Digest: <http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html> -- Robert SayreReceived on Wednesday, 5 April 2006 21:02:48 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 September 2008 07:02:10 GMT