- From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Date: Thu, 13 Mar 2008 23:09:03 -0400
- To: ietf-http-wg@w3.org
On Fri, Feb 22, 2008 at 09:58:34AM -0800, Internet-Drafts@ietf.org <Internet-Drafts@ietf.org> wrote a message of 20 lines which said: > Title : Security Requirements for HTTP > Author(s) : P. Hoffman, A. Melnikov > Filename : draft-ietf-httpbis-security-properties-01.txt This draft has a section on TLS, 2.5, which is quite short :-) I suggest, after or before 2.2: 2.x TLS authentication For the humans, long after form+cookies, TLS [RFC4346] is certainly the most common way to authenticate a Web client. For the robots, this technique is common, too. Most actual deployments of client authenticatiuon use a custom PKI, and user certificates directly distributed by this PKI. X509 hierarchies starting from a "widely known" CA are less common. For instance, the tax submission system in France allowed last year X [TODO: check the actual value] millions of users to submit their tax data after authentication with a certificate delivered by the governement. And, in 2.5: TLS, besides its use for client and/or server authentication, is also very commonly used to protect the confidentiality and integrity of the HTTP session. For instance, both HTTP Basic authentication and Cookies are often protected against snooping by TLS. It should be noted that, in that case, TLS does not protect against a breach of the credential store at the server or against a keylogger or phishing interface at the client. TLS does not change the fact that Basic Authentication passwords are reusable and does not address that weakness.
Received on Friday, 14 March 2008 12:18:44 UTC