W3C home > Mailing lists > Public > www-tag@w3.org > April 2006

Re: IETF documents - action item from TAG meeting.

From: Robert Sayre <sayrer@gmail.com>
Date: Wed, 5 Apr 2006 17:02:22 -0400
Message-ID: <68fba5c50604051402g5d9c26aeuc9a818c76d4e5aa0@mail.gmail.com>
To: www-tag@w3.org
Cc: ed.rice@hp.com

Mark Nottingham wrote:
>
>On 2006/04/03, at 1:55 PM, Rice, Ed (ProCurve) wrote:
>>
>> SASL in HTTP/1.1
>> <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt>
>
> As I understand it (the document is very complex), this effectively
> ties the authentication session to the HTTP connection, which breaks
> the layering of HTTP and introduces a big security hole;

I haven't read the SASL in HTTP document, but there's already been a
lot of integration and security trouble caused by Microsoft NTLM
authentication, which is also tied to the HTTP connection.

<http://www.modsecurity.org/archive/amit/ntlm_http_authentication_is_insecure_by_design.txt>

Regarding HMAC Digest, there's a new version coming soon. A more
stable URI to track the document is available from ISOC:

<http://ietfreport.isoc.org/idref/draft-sayre-http-hmac-digest/>

Coincidentally, Amazon's S3 Web storage service recently deployed a
proprietary authentication scheme that's very similar to HMAC Digest:

<http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html>

--

Robert Sayre
Received on Wednesday, 5 April 2006 21:02:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:39 GMT