Closed mnot closed 3 years ago
julian.reschke@gmx.de commented:
P7 currently does not attempt to discuss security considerations that would be specific to particular authentication schemes.
Basic and Digest are defined in RFC 2617, and already have these warnings in their Security Considerations. The same will be true for the replacement specs the HTTPAUTH WG is working on.
Thus I'd like to close this as WONTFIX.
fielding@gbiv.com commented:
It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.
Replying to [comment:2 fielding@…]:
It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.
In the Introduction, I assume. Care to propose concrete text...
to:
1390064531018712
Replying to [comment:2 fielding@…]:
It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.
In the Introduction, I assume. Care to propose concrete text?
539.diff
Proposed change
julian.reschke@gmx.de commented:
From 2571:
mention that the auth related header fields by default are sent unsecured and hint at TLS (see #539)
incorporated
new
to closed
Sean Turner
1) So I guess the reason we're not saying TLS is an MTI with basic/digest is that that's getting done in an httpauth draft? It really wouldn't hurt to duplicate that while we're getting the other one done (I know you don't want a reference to that draft).
Stephen Farrell
Please check the secdir review. (http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I agree with the comment that this really should have some mention of using TLS to protect basic/digest, even if that ought also be elsewhere.
Reported by julian.reschke@gmx.de, migrated from https://trac.ietf.org/trac/httpbis/ticket/539