- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 02 Jan 2014 22:55:12 +1300
- To: ietf-http-wg@w3.org
On 2/01/2014 10:27 p.m., Julian Reschke wrote: > Hi there, > > in the IESG feedback, we were asked by Sean Turner and Stephen Farrell > to mention TLS in part 7: > > Sean Turner: > >> 1) So I guess the reason we're not saying TLS is an MTI with >> basic/digest is that that's getting done in an httpauth draft? It >> really wouldn't hurt to duplicate that while we're getting the other >> one done (I know you *don't* want a reference to that draft). > > Stephen Farrell: > >> Please check the secdir review. ( >> http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I >> agree with the comment that this really should have some mention of >> using TLS to protect basic/digest, even if that ought also be elsewhere. > > However, P7 currently does not attempt to discuss security > considerations that would be specific to particular authentication schemes. > > Basic and Digest are defined in RFC 2617, and already have these > warnings in their Security Considerations. The same will be true for the > replacement specs the HTTPAUTH WG is working on. > > Thus I'd like to close this as WONTFIX -- feedback appreciated! > Peg me as a "dont care". But, if they are going to make a fuss it would not be far amiss to have a generic mention that " Either message-based security (ie Secure-HTTP or similar) or underlying transport security (ie IPSEC, TLS or other future techniques) have implications on the HTTP messages and any data contained. " or something to that effect. The important details being that TLS is just one option, and wrapping only a portion of the message in encryption is reasonable. Amos
Received on Thursday, 2 January 2014 09:55:52 UTC