- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Jan 2014 15:04:17 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-01-02 10:27, Julian Reschke wrote:
> Hi there,
>
> in the IESG feedback, we were asked by Sean Turner and Stephen Farrell
> to mention TLS in part 7:
>
> Sean Turner:
>
>> 1) So I guess the reason we're not saying TLS is an MTI with
>> basic/digest is that that's getting done in an httpauth draft? It
>> really wouldn't hurt to duplicate that while we're getting the other
>> one done (I know you *don't* want a reference to that draft).
>
> Stephen Farrell:
>
>> Please check the secdir review. (
>> http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I
>> agree with the comment that this really should have some mention of
>> using TLS to protect basic/digest, even if that ought also be elsewhere.
>
> However, P7 currently does not attempt to discuss security
> considerations that would be specific to particular authentication schemes.
>
> Basic and Digest are defined in RFC 2617, and already have these
> warnings in their Security Considerations. The same will be true for the
> replacement specs the HTTPAUTH WG is working on.
>
> Thus I'd like to close this as WONTFIX -- feedback appreciated!
>
> Best regards, Julian
Proposed change
(<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/539/539.diff>):
add
"Challenges and responses are transmitted in header field values, and
thus can easily leak information when not using a secured connection.
Depending on the type of the authentication scheme, it therefore can be
necessary to use a TLS-secured connection ("Transport Layer Security",
[RFC5246])."
Amos, if you want to tune this to clarify that there are other ways to
secure the bits, please go ahead and make a proposal...
Best regards, Julian
Received on Wednesday, 22 January 2014 14:04:52 UTC