W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Call for adoption: draft-reschke-httpauth-auth-info-00

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Mon, 2 Feb 2015 09:08:44 -0500
Message-ID: <CAGL6epL_XLY+ZeLPi3XVJsdaoSYFwhJuuy7zDeLspJ0tMfKvKw@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
This document does not define any semantics associated with these header,
which means that the document that uses these header will be the one that
must address the information leak issue.
I do not see why we would restrict a future use of these headers based on
the Digest usage; this seems odd to me.


On Mon, Feb 2, 2015 at 8:41 AM, Julian Reschke <julian.reschke@gmx.de>

> On 2015-01-30 22:45, Amos Jeffries wrote:
>> On 31/01/2015 3:11 a.m., Rifaat Shekh-Yusef wrote:
>>> Why would we restrict the use of this header in future protocols based on
>>> the Digest usage of this header?
>>> What would be the harm in allowing the new protocol that uses the header
>>> to
>>> restrict it usage?
>> Information leaks. User credentials and secure token are potentially
>> stored in here, as are details specific to the internal operation of the
>> security algorithm selected/negotiated.
>> ...
> The intent of the draft was to separate out what was defined in RFC 2617;
> thus I agree that we shouldn't relax the use unless there's broad consensus
> that that would be a good idea.
> Best regards, Julian
Received on Monday, 2 February 2015 14:09:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC