W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Thu, 19 Oct 2006 01:11:14 +0000
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02785495@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>, <lists@ingostruck.de>, HTTP Working Group <ietf-http-wg@w3.org>

A MUST NOT requiring that the default configuration not allow Basic auth (or equivalent) unless SSL (or equivalent) was in use would be more justifiable than a flat out prohibition.

However, I think even that is inappropriate _as a protocol requirement_ -- by the test that conformance isn't decidable by compliant implementations. In the "security considerations" section, however, it is permissible to make requirements that are not protocol requirements (e.g., don't store passwords in files accessible by ordinary users).

On the other hand, when there is a choice of authentication mechanisms defined for a protocol, and one or more of them is made "mandatory to implement", it is decidable whether the other party has done so. So I think that such requirements are a valid protocol "MUST". 
Received on Thursday, 19 October 2006 06:27:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 9 September 2019 17:47:10 UTC