- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Mon, 3 Apr 2006 16:41:55 -0700
- To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>
- Cc: <www-tag@w3.org>
On 2006/04/03, at 1:55 PM, Rice, Ed (ProCurve) wrote: > > SASL in HTTP/1.1 > <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt> As I understand it (the document is very complex), this effectively ties the authentication session to the HTTP connection, which breaks the layering of HTTP and introduces a big security hole; e.g., a SASL- naive proxy that mux's connections from several clients can interlace requests from client A into the request stream of client B to server S, effectively giving A's credentials to B. See 4.7.1 Example 1, towards the end where the client re-tries the original request once the auth negotiation takes place. I've made this comment previously to the authors, apparently to no avail. -- Mark Nottingham mnot@yahoo-inc.com
Received on Monday, 3 April 2006 23:43:02 UTC