Re: [secdir] SECDIR review of draft-ietf-httpbis-p7-auth-24

Stephen Kent <> Wed, 30 October 2013 14:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7EA2121F9ECE for <>; Wed, 30 Oct 2013 07:32:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.516
X-Spam-Status: No, score=-106.516 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cQHK7Ag6vfg5 for <>; Wed, 30 Oct 2013 07:32:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C61A011E830A for <>; Wed, 30 Oct 2013 07:32:38 -0700 (PDT)
Received: from ([]:51818) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1VbWoo-0004j6-3W; Wed, 30 Oct 2013 10:32:22 -0400
Message-ID: <>
Date: Wed, 30 Oct 2013 10:32:22 -0400
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Julian Reschke <>, secdir <>,,, Barry Leiba <>, Pete Resnick <>, "Mankin, Allison" <>, HTTP Working Group <>
References: <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------080906030704090803020802"
Subject: Re: [secdir] SECDIR review of draft-ietf-httpbis-p7-auth-24
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Oct 2013 14:32:59 -0000

On 10/30/13 9:40 AM, Julian Reschke wrote:
> Stephen,
> On 2013-10-29 20:35, Stephen Kent wrote:
>> ...
>> The Security Considerations section (6) is about one page in length. It
>> references the SC sections in two in I-Ds:
>> draft-ietf-httpbis-p1-messaging-24 and
>> draft-ietf-httpbis-p2-semantics-24. Both of these I-Ds have non-trivial
>> SC sections, but one cannot say that this document has an acceptable SC
>> section until those documents are finalized. They are both normative
>> references, so this doc will nor progress independently, but there will
>> still be a need to revisit this SC when those SCs are finalized.
> These two other documents are in IETF LC as well.
OK. Then I suggest that whoever reviews them (hopefully not me) do so with
the SC section for this I-D in mind.
>> The SC section here addresses only two issues: purging credentials in
>> clients and user agents, and protection spaces. The discussion of the
>> former topic does not discuss how credential purging applies to proxies.
> As per httpbis-p1, a proxy is a client as well ('An HTTP "client" is a 
> program that establishes a connection to a server for the purpose of 
> sending one or more HTTP requests.' -- 
> <>). 
> Does this address your comment?
yes, but it might be clearer to note this, parenthetically, in this doc.
For example, page 5 includes the following text:

    The 407 (Proxy Authentication Required) response message is used by a

proxy to challenge the authorization of a client and MUST include a

Proxy-Authenticate header field containing at least one challenge

applicable to the proxy for the requested resource.

The use of the terms "proxy" and "client" here suggest that they are 
distinct notions,
not that a proxy is also considered a client.
>> Also, it is not clear that a user control for credential purging will
>> have the desired effect given a potentially complex GUI environment. The
> Any proposal for enhancing the text?

User agents that cache credentials are encouraged to provide a

readily accessible mechanism for discarding cached credentials under

user control. *We recognize that this may not be a trivial task.**
**   Designing a UI that will encourage users to purge credentials when**
**   appropriate, but not cause them to prematurely do so may be difficult.*

>> discussion of protection spaces provides useful suggestions on how to
>> minimize credential exposure.
>> I was a bit surprised that there was no advice deprecating the use of
>> passwords as credentials, if only to make a statement on this topic.
> This document just defines the HTTP authentication framework. It's not 
> intended to give general guidelines about the security of new 
> authentication schemes. But then, if you have some concrete proposal 
> for additional text, we're all ears.

This doc does provide guidance for new auth schemes, in 5.1.2. However, 
I agree that the guidance
there focuses on syntactic issues and compatibility, rather than 
security. So, if you don't want
to address this issue, OK.