Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Wed, 18 February 2015 20:46 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567AB1A1AB1 for <http-auth@ietfa.amsl.com>; Wed, 18 Feb 2015 12:46:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lB6cVgHMAvBN for <http-auth@ietfa.amsl.com>; Wed, 18 Feb 2015 12:46:41 -0800 (PST)
Received: from mail-la0-f52.google.com (mail-la0-f52.google.com [209.85.215.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92FF61A1A8B for <http-auth@ietf.org>; Wed, 18 Feb 2015 12:46:35 -0800 (PST)
Received: by labgf13 with SMTP id gf13so3753983lab.9 for <http-auth@ietf.org>; Wed, 18 Feb 2015 12:46:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8NwEE33Hr/4a1B6tePW//Vublg1fDsnyPuPt3ze34co=; b=i+dx3bJjCF+dZN5pQKEUMRD2bgHp9ypPUl14QxHMnW1ujCqf29UxGN4G8x4/V0Ndio ByjUM/jtG8Vv7Hxlmp8p4vsYOByEv9z0fwE7aF0ByNKYcfoeieuzLnIzlsopWU/zoqRZ EmlaQG8b3JDQbViAaodV55vXd+a8xnWi2s2G2jFGkHMP9nilJsH/WdjioajJbSJqeoHa 4KegtTj8lcNiHKHzzq3b7pOlY6GU2Ljy19jVCB9XQpzlZLAyd5bkzFC+jciVrmWb24B2 5Xx0OKfOl7p5ymfDQB798hRPjh+NQu3SZn2tETMFwS4qUAEu0mWya7QswpOarQ6+KiyG 8pfw==
X-Gm-Message-State: ALoCoQkEBL2uA0V6CO5xIl97lYMKG9gyXBz3VnvhVVOZI7TgG8cCzIYgdxmdMznxgdiuvZ7Pms3B
MIME-Version: 1.0
X-Received: by 10.112.65.196 with SMTP id z4mr1240128lbs.28.1424292394085; Wed, 18 Feb 2015 12:46:34 -0800 (PST)
Received: by 10.25.135.4 with HTTP; Wed, 18 Feb 2015 12:46:34 -0800 (PST)
In-Reply-To: <54E4ED66.4040100@greenbytes.de>
References: <20150218194749.23802.1910.idtracker@ietfa.amsl.com> <54E4ED66.4040100@greenbytes.de>
Date: Wed, 18 Feb 2015 15:46:34 -0500
Message-ID: <CAL02cgSo+h7HLnGK2aPpodDwLSVU_8ZjzfxsrCaw93oq2Ox=5Q@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Julian Reschke <julian.reschke@greenbytes.de>
Content-Type: multipart/alternative; boundary="001a1136073a34c626050f62ea71"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/Ff9SOWp-H8gTgdN-qi94vy120cE>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, The IESG <iesg@ietf.org>, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 20:46:43 -0000
On Wed, Feb 18, 2015 at 2:52 PM, Julian Reschke < julian.reschke@greenbytes.de> wrote: > On 2015-02-18 20:47, Richard Barnes wrote: > >> Richard Barnes has entered the following ballot position for >> draft-ietf-httpauth-basicauth-update-06: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> http://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> Section 2.2 seems like a significant departure from RFC 2617, which says >> nothing about the scope of authentication. >> > > It's only a rephrasing of <http://greenbytes.de/tech/ > webdav/rfc2617.html#rfc.section.2.p.8>. Ah, thank you. The change in wording stymied my efforts to find the comparable text. It still seems like it would be good to mention this leakage risk in the security considerations. But I've moved this to a COMMENT. > > > (1) Did the WG discuss the compatibility impact of this change? Although >> clients might send the Authorization header preemptively, they should >> still be prepared to get a 401 response back. >> >> (2) Did the WG discuss the possibilities for leakage of credentials due >> to this change? It's not hard to imagine scenarios where, say, >> "http://example.com/~user1" and "http://example.com/~user2" are >> controlled by different entities, and leakage between them would be >> harmful. >> >> (3) At the very least, there needs to be (a) a mention of this change in >> Appendix A, and (b) a discussion of leakage through unsolicited >> Authorization headers in the Security Considerations. >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> The current text on the use of TLS is an OK start, but I would prefer if >> it were refactored so that the recommendation against Basic were general >> to HTTP and HTTPS. >> >> "Because Basic authentication involves the cleartext transmission of >> passwords it SHOULD NOT be used except over a secure channel such as >> HTTPS [RFC2818]. Likewise, due to the risk of compromise, Basic >> authentication SHOULD NOT be used to protect sensitive or valuable >> information." >> >> >> > > -- > <green/>bytes GmbH, Hafenweg 16, D-48155 Münster, Germany > Amtsgericht Münster: HRB5782 >
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Roy T. Fielding
- Re: [http-auth] Richard Barnes' Discuss on draft-… Yoav Nir