W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Call for adoption: draft-reschke-httpauth-auth-info-00

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 02 Feb 2015 14:41:47 +0100
Message-ID: <54CF7E9B.2060700@gmx.de>
To: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On 2015-01-30 22:45, Amos Jeffries wrote:
> On 31/01/2015 3:11 a.m., Rifaat Shekh-Yusef wrote:
>> Why would we restrict the use of this header in future protocols based on
>> the Digest usage of this header?
>> What would be the harm in allowing the new protocol that uses the header to
>> restrict it usage?
>>
>
> Information leaks. User credentials and secure token are potentially
> stored in here, as are details specific to the internal operation of the
> security algorithm selected/negotiated.
> ...

The intent of the draft was to separate out what was defined in RFC 
2617; thus I agree that we shouldn't relax the use unless there's broad 
consensus that that would be a good idea.

Best regards, Julian
Received on Monday, 2 February 2015 13:42:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC