Re: FW: webdav feedback from John Stracke on 1998-10-12 (w3c-dist-auth@w3.org from October to December 1998)

From: John Stracke <francis@netscape.com>
Date: Mon, 12 Oct 1998 19:43:45 +0000
To: WEBDAV WG <w3c-dist-auth@w3.org>
Message-ID: <36225BEF.4BF58FDB@netscape.com>

Jim Whitehead forwarded:

> From: moore@cs.utk.edu [mailto:moore@cs.utk.edu]

[...]

> 3. [nit] Is the reference for Dublin Core [Weibel et. al.], equivalent
> to RFC 2413?  If so, we'd prefer that to just a URL.

Note that RFC 2413 includes a URL to DC's site; would that be enough?

> 8. We've basically decided not to publish the UUID/GUID draft because
> it would define the same thing as an existing ISO document, except in
> a slightly different way.  So you need to reference the ISO document's
> definition of UUIDs.

Gack.

> 11. on the use of URLs as XML namespaces: there's a scalability and
> reliability issue if any particular URIs used as namespace names are
> distributed in products that are widely used, and they may not work if
> used on private nets not connected to the Internet.

We don't write anything that would suggest a client might dereference a
namespace URL, do we?

> 17. section 16.1:
>
> TLS doesn't inherently provide a secure connection, as TLS allows use
> of insecure ciphersuites.  TLS is "secure" only if strong ciphersuites
> are used (40 bit ciphersuites are certainly not secure enough for
> passwords that might be reused in other contexts), and I believe you
> need to have mutual authentication to thwart man-in-the-middle
> attacks.  (I might be wrong about the latter - server-to-client
> authentication might be sufficient to prevent man-in-the-middle
> attacks)

I'm pretty sure server-to-client is meant to be sufficient.  Existing SSL
clients (well, Navigator, anyway :-) have to deal with this problem when
running through a proxy.  Navigator connects to the proxy and issues a CONNECT
request, which tells the proxy to open up a connection to the server and relay
bits untouched.  If man-in-the-middle were a problem, the proxy would need to
be trusted, in which case we wouldn't need a CONNECT; we could proxy https:
just like http:.

That being said, I don't know the details of SSL, and still less those of TLS;
I may be missing something.

--
/====================================================================\
|John (Francis) Stracke    |My opinions are my own.|S/MIME supported |
|Software Retrophrenologist|=========================================|
|Netscape Comm. Corp.      | Don't anthropomorphize computers.       |
|francis@netscape.com      |   They don't like it.                   |
\====================================================================/
New area code for work number: 650

Received on Monday, 12 October 1998 15:51:14 UTC