Re: [hybi] -09: security considerations

Diogo Pereira <diogo.pereira@ist.utl.pt> Mon, 20 June 2011 07:20 UTC

Return-Path: <diogo.pereira@ist.utl.pt>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8541F11E80E0 for <hybi@ietfa.amsl.com>; Mon, 20 Jun 2011 00:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xk8AmaBU-wXa for <hybi@ietfa.amsl.com>; Mon, 20 Jun 2011 00:20:30 -0700 (PDT)
Received: from smtp1.ist.utl.pt (smtp1.ist.utl.pt [IPv6:2001:690:2100:1::15]) by ietfa.amsl.com (Postfix) with ESMTP id 7861511E80D6 for <hybi@ietf.org>; Mon, 20 Jun 2011 00:20:28 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.ist.utl.pt (Postfix) with ESMTP id 8468B7000449 for <hybi@ietf.org>; Mon, 20 Jun 2011 08:20:24 +0100 (WEST)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt
Received: from smtp1.ist.utl.pt ([127.0.0.1]) by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id 2MXwY6j2LyXj for <hybi@ietf.org>; Mon, 20 Jun 2011 08:20:24 +0100 (WEST)
Received: from mail2.ist.utl.pt (mail.ist.utl.pt [IPv6:2001:690:2100:1::8]) by smtp1.ist.utl.pt (Postfix) with ESMTP id 6FCC67000448 for <hybi@ietf.org>; Mon, 20 Jun 2011 08:20:22 +0100 (WEST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) (Authenticated sender: ist158122) by mail2.ist.utl.pt (Postfix) with ESMTPSA id 7DD2A20010DC for <hybi@ietf.org>; Mon, 20 Jun 2011 08:20:22 +0100 (WEST)
Received: by iwn39 with SMTP id 39so637810iwn.31 for <hybi@ietf.org>; Mon, 20 Jun 2011 00:20:21 -0700 (PDT)
Received: by 10.231.68.202 with SMTP id w10mr4928013ibi.63.1308554421093; Mon, 20 Jun 2011 00:20:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.36.136 with HTTP; Mon, 20 Jun 2011 00:19:51 -0700 (PDT)
In-Reply-To: <BANLkTinE7VZTZDyyMfw3CZSMevHw-GqTWw@mail.gmail.com>
References: <4DFB8571.4090802@stpeter.im> <BANLkTinuHWwwbXs8b+K9=vN+M=2ZDyy0CQ@mail.gmail.com> <BANLkTim+YUp20v9-8uQVoCV9--gMA4wqLA@mail.gmail.com> <BANLkTinE7VZTZDyyMfw3CZSMevHw-GqTWw@mail.gmail.com>
From: Diogo Pereira <diogo.pereira@ist.utl.pt>
Date: Mon, 20 Jun 2011 08:19:51 +0100
Message-ID: <BANLkTimq2CiSjiS=+yiLmhg9yxACgAZViA@mail.gmail.com>
To: Greg Wilkins <gregw@intalio.com>
Content-Type: text/plain; charset=UTF-8
Cc: hybi@ietf.org
Subject: Re: [hybi] -09: security considerations
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 07:20:30 -0000

2011/6/20 Greg Wilkins <gregw@intalio.com>om>:
> Also HTTP has BASIC and DIGEST authentication, while WS does not
> (although it could very easily support these).

I think this is implicitly allowed:

 "1.  If the status code received from the server is not 101, the
       client handles the response per HTTP procedures." (p. 30)

So in response to a 401 the client could resend the handshake request
with an Authorization header.

-- 
Diogo