- From: Alexey Melnikov <alexey.melnikov@isode.com>
- Date: Thu, 31 May 2012 15:15:17 +0100
- To: Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 31/05/2012 13:09, Mark Nottingham wrote: > <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/348> > > Proposal - > > New section in p7 Security Considerations: > > """ > 6.2 Protection Spaces > > Authentication schemes that use the "realm" mechanism for establishing a protection space will expose credentials to all resources on a server. This makes it possible for a resource to harvest authentication credentials for other resources on the same server. > > This is of particular concern when a servers hosts resources for multiple parties. Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content of the Authorization request header available), and separating protection spaces by using a different hostname for each party. > """ Mark, I might be missing something: I thought realm can be used to restrict access to resources within a server (i.e. the same host can serve multiple different realms, each realm can have its own user password database). Your text above contradicts that.
Received on Thursday, 31 May 2012 14:15:40 UTC