Re: [Ietf-message-headers] HTTP header registration question
Martin Duerst <duerst@it.aoyama.ac.jp> Fri, 12 October 2007 07:40 UTC
Return-path: <ietf-message-headers-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgF7w-0002ug-OX; Fri, 12 Oct 2007 03:40:08 -0400
Received: from ietf-message-headers by megatron.ietf.org with local (Exim 4.43) id 1IgF7v-0002tE-Gb for ietf-message-headers-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 03:40:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgF7v-0002t6-74 for ietf-message-headers@lists.ietf.org; Fri, 12 Oct 2007 03:40:07 -0400
Received: from scmailgw2.scop.aoyama.ac.jp ([133.2.251.195]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgF7o-0008Mb-My for ietf-message-headers@lists.ietf.org; Fri, 12 Oct 2007 03:40:07 -0400
Received: from scmse2.scbb.aoyama.ac.jp (scmse2 [133.2.253.17]) by scmailgw2.scop.aoyama.ac.jp (secret/secret) with SMTP id l9C7dsJG020455 for <ietf-message-headers@lists.ietf.org>; Fri, 12 Oct 2007 16:39:57 +0900 (JST)
Received: from (133.2.206.133) by scmse2.scbb.aoyama.ac.jp via smtp id 1b5c_531bda56_7896_11dc_9f77_0014221f2a2d; Fri, 12 Oct 2007 16:39:54 +0900
X-AuthUser: duerst@it.aoyama.ac.jp
Received: from Tanzawa.it.aoyama.ac.jp ([133.2.210.1]:35954) by itmail.it.aoyama.ac.jp with [XMail 1.22 ESMTP Server] id <S179E2A> for <ietf-message-headers@lists.ietf.org> from <duerst@it.aoyama.ac.jp>; Fri, 12 Oct 2007 16:36:22 +0900
Message-Id: <6.0.0.20.2.20071012095202.07676520@localhost>
X-Sender: duerst@localhost
X-Mailer: QUALCOMM Windows Eudora Version 6J
Date: Fri, 12 Oct 2007 09:57:04 +0900
To: Anne van Kesteren <annevk@opera.com>, Graham Klyne <GK-lists@ninebynine.org>
From: Martin Duerst <duerst@it.aoyama.ac.jp>
Subject: Re: [Ietf-message-headers] HTTP header registration question
In-Reply-To: <op.tzzq2rey64w2qv@annevk-t60.oslo.opera.com>
References: <op.tza9zqen64w2qv@annevk-t60.oslo.opera.com> <470BFA49.2070605@ninebynine.org> <op.tzzq2rey64w2qv@annevk-t60.oslo.opera.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.9 (+)
X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b
Cc: ietf-message-headers@lists.ietf.org
X-BeenThere: ietf-message-headers@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion list for header fields used in Internet messaging applications." <ietf-message-headers.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-message-headers>, <mailto:ietf-message-headers-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf-message-headers@ietf.org>
List-Help: <mailto:ietf-message-headers-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-message-headers>, <mailto:ietf-message-headers-request@ietf.org?subject=subscribe>
Errors-To: ietf-message-headers-bounces@ietf.org
I have just realized that I haven't seen any security issues for this proposal described or discussed, although I think that there may be quite some security issues connected to phishing, which should be carefully analysed and described. The scenario I'm thinking about is that a phishing site, rather than as currently having to get the passwords from the user to its server, and then from there contact the real server, may be able to list the real server in an Access-Control header and therewith may be able to correspond directly between client and real server, potentially circumventing some security checks that were in place until now (e.g. a plausability check for the IP address of the user,...). Regards, Martin.s At 02:05 07/10/11, Anne van Kesteren wrote: >On Wed, 10 Oct 2007 00:01:45 +0200, Graham Klyne <GK-lists@ninebynine.org> >wrote: >> My comments concern procedural matters - I make no judgement here about >> the technical content of the proposal... > >Feel free to make comments on the technical content though! > > >> The registration would probably have to be provisional until such time >> as the specification documents achieve some kind of standard-equivalent >> status (e.g. W3C REC). The status information is generally >> "provisional" for headers in the provisional registry. If this is W3C >> WG activity for which there is general consensus on the direction if not >> the final details, then I's suggest that provisional registration should >> be progressed sooner rather than later >> (including a note of the venue for ongoing development of the >> specification). > >Ok. I believe that I can do that tomorrow as the two review weeks have >passed then. (I initially e-mailed it on Thu 27 Sep 2007.) > > >> Three separate templates may be preferable - they will lead to separate >> entries in the registry. > >Ok. > > >> With reference to other discussion, in which you said: "the other two >> are both mentioned and it's defined what they are to contain. (They are >> request headers.) Maybe they should have syntax definitions as well just >> to make it complete." >> >> ... I think it may help if: >> (a) they had syntax definitions (or reference to some existing >> definition), and >> (b) if it's not obvious, that there be some indication to where in the >> document the headers are defined (section number of suchlike). > >http://dev.w3.org/2006/waf/access-control/ now includes the syntax >definitions. > > >> The standard of definition required will be higher for permanent >> registration. > >What are the requirements exactly? > > >Thanks a lot by the way! > > >-- >Anne van Kesteren ><http://annevankesteren.nl/> ><http://www.opera.com/> > > >_______________________________________________ >Ietf-message-headers mailing list >Ietf-message-headers@ietf.org >https://www1.ietf.org/mailman/listinfo/ietf-message-headers #-#-# Martin J. Du"rst, Assoc. Professor, Aoyama Gakuin University #-#-# http://www.sw.it.aoyama.ac.jp mailto:duerst@it.aoyama.ac.jp _______________________________________________ Ietf-message-headers mailing list Ietf-message-headers@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-message-headers
- [Ietf-message-headers] HTTP header registration q… Anne van Kesteren
- [Ietf-message-headers] Re: HTTP header registrati… Frank Ellermann
- Re: [Ietf-message-headers] Re: HTTP header regist… Anne van Kesteren
- Re: [Ietf-message-headers] HTTP header registrati… Martin Duerst
- Re: [Ietf-message-headers] HTTP header registrati… Anne van Kesteren
- [Ietf-message-headers] Re: HTTP header registrati… Frank Ellermann
- Re: [Ietf-message-headers] Re: HTTP header regist… Anne van Kesteren
- Re: [Ietf-message-headers] Re: HTTP header regist… Martin Duerst
- [Ietf-message-headers] Re: HTTP header registrati… Frank Ellermann
- Re: [Ietf-message-headers] Re: HTTP header regist… Anne van Kesteren
- Re: [Ietf-message-headers] HTTP header registrati… Graham Klyne
- Re: [Ietf-message-headers] HTTP header registrati… Anne van Kesteren
- Re: [Ietf-message-headers] HTTP header registrati… Martin Duerst
- Re: [Ietf-message-headers] HTTP header registrati… Anne van Kesteren
- Re: [Ietf-message-headers] HTTP header registrati… Graham Klyne