[http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
"Richard Barnes" <rlb@ipv.sx> Wed, 18 February 2015 19:47 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190DF1A016C; Wed, 18 Feb 2015 11:47:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AS78zpY9_UP; Wed, 18 Feb 2015 11:46:56 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A13971A015F; Wed, 18 Feb 2015 11:46:56 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Richard Barnes <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.11.0.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150218194656.23776.44631.idtracker@ietfa.amsl.com>
Date: Wed, 18 Feb 2015 11:46:56 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/fd-5drBYYn02YFSPR1wriePkdWU>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, httpauth-chairs@ietf.org, httpauth@ietf.org
Subject: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 19:47:00 -0000
Richard Barnes has entered the following ballot position for draft-ietf-httpauth-basicauth-update-06: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Section 2.2 seems like a significant departure from RFC 2617, which says nothing about the scope of authentication. (1) Did the WG discuss the compatibility impact of this change? Although clients might send the Authorization header preemptively, they should still be prepared to get a 401 response back. (2) Did the WG discuss the possibilities for leakage of credentials due to this change? It's not hard to imagine scenarios where, say, "http://example.com/~user1" and "http://example.com/~user2" are controlled by different entities, and leakage between them would be harmful. (3) At the very least, there needs to be (a) a mention of this change in Appendix A, and (b) a discussion of leakage through unsolicited Authorization headers in the Security Considerations. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The current text on the use of TLS is an OK start, but I would prefer if it were refactored so that the recommendation against Basic were general to HTTP and HTTPS. "Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used except over a secure channel such as HTTPS [RFC2818]. Likewise, due to the risk of compromise, Basic authentication SHOULD NOT be used to protect sensitive or valuable information."
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Roy T. Fielding
- Re: [http-auth] Richard Barnes' Discuss on draft-… Yoav Nir