- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 02 Jan 2014 10:27:38 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi there, in the IESG feedback, we were asked by Sean Turner and Stephen Farrell to mention TLS in part 7: Sean Turner: > 1) So I guess the reason we're not saying TLS is an MTI with basic/digest is that that's getting done in an httpauth draft? It really wouldn't hurt to duplicate that while we're getting the other one done (I know you *don't* want a reference to that draft). Stephen Farrell: > Please check the secdir review. (http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I agree with the comment that this really should have some mention of using TLS to protect basic/digest, even if that ought also be elsewhere. However, P7 currently does not attempt to discuss security considerations that would be specific to particular authentication schemes. Basic and Digest are defined in RFC 2617, and already have these warnings in their Security Considerations. The same will be true for the replacement specs the HTTPAUTH WG is working on. Thus I'd like to close this as WONTFIX -- feedback appreciated! Best regards, Julian
Received on Thursday, 2 January 2014 09:28:10 UTC