[secdir] Reuse of credentials per realm, was: SECDIR review of draft-ietf-httpbis-p7-auth-24

Julian Reschke <julian.reschke@gmx.de> Wed, 30 October 2013 16:25 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E71821E80B6 for <secdir@ietfa.amsl.com>; Wed, 30 Oct 2013 09:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.187
X-Spam-Level:
X-Spam-Status: No, score=-104.187 tagged_above=-999 required=5 tests=[AWL=-1.588, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iarsBOZorsYn for <secdir@ietfa.amsl.com>; Wed, 30 Oct 2013 09:25:19 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 1C86511E8253 for <secdir@ietf.org>; Wed, 30 Oct 2013 09:25:13 -0700 (PDT)
Received: from [192.168.1.102] ([217.91.35.233]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0Mcgur-1VJkiC2KSv-00HtBJ for <secdir@ietf.org>; Wed, 30 Oct 2013 17:25:11 +0100
Message-ID: <527132E3.3000001@gmx.de>
Date: Wed, 30 Oct 2013 17:25:07 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, secdir <secdir@ietf.org>, fielding@gbiv.com, mnot@pobox.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Mankin, Allison" <amankin@verisign.com>, HTTP Working Group <ietf-http-wg@w3.org>
References: <52700DE4.8020208@bbn.com>
In-Reply-To: <52700DE4.8020208@bbn.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:rc87J+KtFtQUTrR5dfVTVHT+zUDE/CzU947cKJ2q4DciGmw1jvO bpvU7dV+h7rgCadpGh0FlW5AEVX3mcRvbwM16DsuNPSK86iDWmh2qm09lW5+6/1eFRcB3YG fyJV0Sn59bLCNGmk7ycUCkVY8f1CRXZ95Y0SzfeYaRxom/e4zj06aVZcLnChLgnqZLrqAih hYGS2zrRqzJ8RpEd38OMw==
Subject: [secdir] Reuse of credentials per realm, was: SECDIR review of draft-ietf-httpbis-p7-auth-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2013 16:25:25 -0000

On 2013-10-29 20:35, Stephen Kent wrote:
> ...
> In Section 2.2 the text says:
>
> The protection space determines the domain over which credentials can
>
> be automatically applied.If a prior request has been authorized,
>
> the user agent MAY reuse the same credentials for all other requests
>
> within that protection space for a period of time determined by the
>
> authentication scheme, parameters, and/or user preference.
>
> I’m not clear how user preferences fit into this process. It would seem
> that the server would decide whether a prior authorization is valid for
> later requests, not a user.
> ...

Of course it's up to the server to accept or reject it. The text you 
cite is about the user agent deciding whether it can try to use the 
credentials.

Does this require a clarification?

Best regards, Julian