- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Mon, 28 Jan 2008 12:52:29 -0800
- To: Paul Hoffman <paul.hoffman@vpnc.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Here are some comments: WRT: "2.1. Forms And Cookies Almost all HTTP authentication is accomplished through HTML forms, with session keys stored in cookies." I think calling them "session keys" is a little misleading, since they really aren't used to encrypt or integrity protect the session. Calling them "session IDs" would be more appropriate; best practice has them be unforgeable and unguessable (but subject to theft by MITM unless kept secret by other means) -- and almost undoubtedly there are some implementations that use incrementing session ID counters. WRT: "2.2.2. Digest Authentication ... Additionally, implementation experience has shown that the message integrity mode is impractical because it requires servers to analyze the full request before determining whether the client knows the shared secret." Could you elaborate? The purpose of integrity protection isn't simply to determine if the client knows the shared secret, it is to insure that no MITM can modify the integrity protected data. This intrinsically requires that all integrity protected data be examined. Hence, the above statement seems to really amount to the claim that integrity protection is too expensive to be practical. However, it isn't any more expensive than TLS, and TLS is used pretty widely. If all the server wants to know is whether the client knows the shared secret, the non-integrity-protected mode does that. The only reason to use message integrity mode is if message integrity is needed to meet security requirements. WRT: "Many Digest capabilities included to prevent replay attacks expose the server to Denial of Service attacks." Which capabilities in particular? -----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Paul Hoffman Sent: Wednesday, January 23, 2008 2:00 PM To: ietf-http-wg@w3.org Subject: Security Requirements for HTTP, draft -00 Greetings. Alexey and I have done a small rev on Rob Sayre's earlier document describing the security properties of HTTP and how they vary from the IETF's "mandatory to implement" policy. We look forward to discussion from the WG on how this document should progress (other than the obvious places where we have holes...). --Paul Hoffman, Director --VPN Consortium
Received on Monday, 28 January 2008 20:53:12 UTC