- From: Paul Hoffman <paul.hoffman@vpnc.org>
- Date: Mon, 28 Jan 2008 13:46:23 -0800
- To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Cc: ietf-http-wg@w3.org
At 10:27 PM +0100 1/28/08, Stephane Bortzmeyer wrote: >On Mon, Jan 28, 2008 at 08:47:46AM -0800, > Paul Hoffman <paul.hoffman@vpnc.org> wrote > a message of 59 lines which said: > >> I strongly suspect that if you add up all the authentications done >> on every HTTP server in the world today, forms+cookies+people would >> win over ((nonforms+people) + (nonforms+nonpeople)). > >May be, it depends on the metrics you use :-) Number of installations, >number of requests per day, number of US $ processed ? :-) Number of requests per day. >My personal impression is that it is either forms+people or >nonforms+nonpeople and the rest is marginal. Fully agree. >What do other people think? I was extremely surprised that "nonpeople" >uses of HTTP were, it seems, ignored from the version -00. Ignored in what way?!?! The security implications of Basic and Digest were fully covered. > > The sentence is about reusability, not general danger. The >> reusability comes directly from the attacker being able to see the >> Basic credential go by. > >No, it comes from the credential being static. No, it comes from the credential being static *and visible to an attacker*. >If you use OTP, surely >it does not matter if the attacker can see "the credential go by"? Correct. Which HTTP authentication standard is for OTP? If we missed one, we should certainly cover it. > > Section 2.4 is explicly about "Web Services", not REST and the like. > >Well, in that case, I have to ask for the I-D to provide a definition >for Web Services (I'm myself lost in the marketing talk). But it would >be a strange definition if it excludes REST. We'll see. :-) --Paul Hoffman, Director --VPN Consortium
Received on Monday, 28 January 2008 21:46:47 UTC