Closed mnot closed 3 years ago
mnot
commented
10 years ago julian.reschke@gmx.de commented:
P7 currently does not attempt to discuss security considerations that would be specific to particular authentication schemes.
Basic and Digest are defined in RFC 2617, and already have these warnings in their Security Considerations. The same will be true for the replacement specs the HTTPAUTH WG is working on.
Thus I'd like to close this as WONTFIX.
mnot
commented
10 years ago fielding@gbiv.com commented:
It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.
mnot
commented
10 years ago Replying to [comment:2 fielding@…]:
It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.
In the Introduction, I assume. Care to propose concrete text...
to:
1390064531018712
Replying to [comment:2 fielding@…]:
It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.
In the Introduction, I assume. Care to propose concrete text?
mnot
commented
10 years ago 539.diffProposed change
mnot
commented
10 years ago julian.reschke@gmx.de commented:
From 2571:
mention that the auth related header fields by default are sent unsecured and hint at TLS (see #539)
mnot
commented
10 years ago incorporatednew to closed
Sean Turner
1) So I guess the reason we're not saying TLS is an MTI with basic/digest is that that's getting done in an httpauth draft? It really wouldn't hurt to duplicate that while we're getting the other one done (I know you don't want a reference to that draft).
Stephen Farrell
Please check the secdir review. (http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I agree with the comment that this really should have some mention of using TLS to protect basic/digest, even if that ought also be elsewhere.
Reported by julian.reschke@gmx.de, migrated from https://trac.ietf.org/trac/httpbis/ticket/539