Re: additional mechanisms on top of the auth framework, was: SECDIR review of draft-ietf-httpbis-p7-auth-24

* Julian Reschke wrote:
>On 2013-10-31 15:44, Bjoern Hoehrmann wrote:
>> I think doing s/encryption/authentication/ instead would be better.
>> There is no reason to discuss confidentiality here. Encryption and other
>> cryptographic techniques are used in many authentication schemes, like
>> with client certificates; that may have been the idea behind the text.
>
>"authentication on the transport layer"?

Applying my suggestion would make the text read,

   The HTTP protocol does not restrict applications to this simple
   challenge-response framework for access authentication. Additional
   mechanisms MAY be used, such as authentication at the transport
   level or via message encapsulation, and with additional header fields
   specifying authentication information. However, such additional
   mechanisms are not defined by this specification.

(The MAY might be better as "can".)

>That wouldn't cover Basic auth (plain text passwords) over https:, which 
>I think this paragraph is hinting at...

Transport Layer Security client certificate authentication is an
additional authentication mechanism at the transport level that
implementations of HTTP actually use. Basic authentication is just
the basic application of the challenge-response framework defined
in the document, so your interpretation seems unlikely.

It might be a good idea to point out that authentication does not
imply confidentiality and that TLS can be used for confidentiality,
but that should be in a separate paragraph.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Thursday, 31 October 2013 15:05:53 UTC