- From: Robert Sayre <sayrer@gmail.com>
- Date: Wed, 5 Apr 2006 17:02:22 -0400
- To: www-tag@w3.org
- Cc: ed.rice@hp.com
Mark Nottingham wrote: > >On 2006/04/03, at 1:55 PM, Rice, Ed (ProCurve) wrote: >> >> SASL in HTTP/1.1 >> <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt> > > As I understand it (the document is very complex), this effectively > ties the authentication session to the HTTP connection, which breaks > the layering of HTTP and introduces a big security hole; I haven't read the SASL in HTTP document, but there's already been a lot of integration and security trouble caused by Microsoft NTLM authentication, which is also tied to the HTTP connection. <http://www.modsecurity.org/archive/amit/ntlm_http_authentication_is_insecure_by_design.txt> Regarding HMAC Digest, there's a new version coming soon. A more stable URI to track the document is available from ISOC: <http://ietfreport.isoc.org/idref/draft-sayre-http-hmac-digest/> Coincidentally, Amazon's S3 Web storage service recently deployed a proprietary authentication scheme that's very similar to HMAC Digest: <http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html> -- Robert Sayre
Received on Wednesday, 5 April 2006 21:02:48 UTC