Re: [secdir] secdir review of draft-ietf-httpbis-auth-info-04
Julian Reschke <julian.reschke@greenbytes.de> Tue, 07 April 2015 14:53 UTC
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6CE1A0271; Tue, 7 Apr 2015 07:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.561
X-Spam-Level:
X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id noczTiltHAH6; Tue, 7 Apr 2015 07:53:47 -0700 (PDT)
Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C5B71A1BD1; Tue, 7 Apr 2015 07:53:47 -0700 (PDT)
Received: from [192.168.1.197] (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id 66C6B15A01E4; Tue, 7 Apr 2015 16:53:45 +0200 (CEST)
Message-ID: <5523EF7A.70009@greenbytes.de>
Date: Tue, 07 Apr 2015 16:53:46 +0200
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>, iesg@ietf.org, secdir@ietf.org, draft-ietf-httpbis-auth-info.all@tools.ietf.org
References: <276CBF09-D56C-4DFB-BCBC-D455BE33550F@nrl.navy.mil>
In-Reply-To: <276CBF09-D56C-4DFB-BCBC-D455BE33550F@nrl.navy.mil>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Fzf_etrJpj-tTQIu5q_hl4cQ9kw>
Subject: Re: [secdir] secdir review of draft-ietf-httpbis-auth-info-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2015 14:53:49 -0000
On 2015-04-06 22:35, Catherine Meadows wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > > This draft defines the “Authentication-Info” and > “Proxy-Authentication-Info” response header fields for use in HTTP > authentication. > These are used for schemes that need to return information once a > client’s authentication credentials have been accepted. > The document defines the syntax, and gives instructions on how it should > be treated (e.g. proxies forwarding a response are > not allowed to modify it). The actual semantics of the fields depend > upon the protocols that use them. > > In the Security Considerations section, the authors note that adding > information to HTTP responses sent across an unencrypted > channel can affect security and privacy. Indeed the presence of these > header fields alone indicate that HTTP authentication is in use. > Additional information > could be exposed depending on the authentication scheme; but this is > something that will need to be addressed in the definition of the schemes. > > I only have one small question about the Security Considerations > section: wouldn’t there be other headers that indicate authentication is > being used, such > as a header indicating that a message contains the client’s credentials? > If so, I don’t see how the introduction of an additional header field > adds any further risk. > ... Other header fields might indeed be present, but not necessarily on the HTTP *response*. > I believe that this ID is ready with nits. > > Cathy Best regards, Julian
- [secdir] secdir review of draft-ietf-httpbis-auth… Catherine Meadows
- Re: [secdir] secdir review of draft-ietf-httpbis-… Julian Reschke