IETF Logo Mail Archive

Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)

Yoav Nir <ynir.ietf@gmail.com> Thu, 19 February 2015 06:27 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AE4E1A1A0C; Wed, 18 Feb 2015 22:27:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qaCB4_9OKB-P; Wed, 18 Feb 2015 22:27:53 -0800 (PST)
Received: from mail-we0-f174.google.com (mail-we0-f174.google.com [74.125.82.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E571A1A06; Wed, 18 Feb 2015 22:27:52 -0800 (PST)
Received: by wesw55 with SMTP id w55so5335094wes.4; Wed, 18 Feb 2015 22:27:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DUDUobUWn9c6HrpFXa2I6VXYvnW62aIguhIhJpmZ4eo=; b=u/ioJkCWQsJqLAeeTG1F44b4Lzwk0Y5RLr96xY1BvZ4kA7VHoF4atfzeV7UL73+8nA SC3cIyaCRm0YFyLpzXvD8MwjxA87GfHNhxZlYFI29Ams6LclQoBKhcwM4YILJa0ONpd0 hIFbrmQPFZ0vFsLIyyzH6EmON0Nek3mPgodJPMeOFH8EqGdUj+ZKzFnM3FQe6ZPXgcLJ sXD+a8ZauIwlexKeLtMDxwbLbFEBo0ZInZMoOsEGFECOF4jvkGAsIvr2KfhXn+QXd2lV ptKpCvxrA38BMVcVxGac2YqAxmZVKtfW5Oc3pv/CwrZ1vbyZ4naFCZCeJIpJ5BL9msiQ qTgQ==
X-Received: by 10.181.13.146 with SMTP id ey18mr3707724wid.84.1424327271522; Wed, 18 Feb 2015 22:27:51 -0800 (PST)
Received: from [10.5.8.176] ([80.179.9.7]) by mx.google.com with ESMTPSA id ub1sm35882322wjc.43.2015.02.18.22.27.46 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Feb 2015 22:27:50 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <925022E5-F72D-4973-B262-934E367B76F9@gbiv.com>
Date: Thu, 19 Feb 2015 08:27:40 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <7C7024B5-E15E-400F-8CAF-D4B6DBF1B172@gmail.com>
References: <20150218194656.23776.44631.idtracker@ietfa.amsl.com> <925022E5-F72D-4973-B262-934E367B76F9@gbiv.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/_TZEJMVpVVunLlN946MvBclvNhQ>
Cc: Richard Barnes <rlb@ipv.sx>, httpauth-chairs@ietf.org, http-auth@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org, httpauth@ietf.org
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 06:27:54 -0000

> On Feb 19, 2015, at 3:08 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
> 
>> "Because Basic authentication involves the cleartext transmission of
>> passwords it SHOULD NOT be used except over a secure channel such as
>> HTTPS [RFC2818]. Likewise, due to the risk of compromise, Basic
>> authentication SHOULD NOT be used to protect sensitive or valuable
>> information."
> 
> The secure channel would be "such as authenticated TLS", not HTTPS;
> it doesn't matter what scheme is used.  Also, the last sentence is
> inappropriate and pointless.
> 
> Historically (and currently), Basic authentication has been necessary
> for environments where the end authentication mechanism is controlled
> by a downstream server that uses legacy accounts and passwords.  Hence,
> the Web server (acting as a gateway to that service) needs the actual
> credentials as plain text in order for the user to be authenticated.

I think it can be argued that this is a better arrangement then placing a database of passwords or password equivalents directly on a web-connected server.

Yoav

v2.23.0 | Report a Bug | By Email