[secdir] additional mechanisms on top of the auth framework, was: SECDIR review of draft-ietf-httpbis-p7-auth-24
Julian Reschke <julian.reschke@greenbytes.de> Thu, 31 October 2013 13:54 UTC
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 586DF11E8196 for <secdir@ietfa.amsl.com>; Thu, 31 Oct 2013 06:54:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.474
X-Spam-Level:
X-Spam-Status: No, score=-4.474 tagged_above=-999 required=5 tests=[AWL=-1.225, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIuPhIF++pb9 for <secdir@ietfa.amsl.com>; Thu, 31 Oct 2013 06:54:49 -0700 (PDT)
Received: from central.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by ietfa.amsl.com (Postfix) with ESMTP id 16B9911E8177 for <secdir@ietf.org>; Thu, 31 Oct 2013 06:54:49 -0700 (PDT)
Received: from [192.168.1.102] (unknown [217.91.35.233]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by central.greenbytes.de (Postfix) with ESMTPSA id 7185110C108E; Thu, 31 Oct 2013 14:54:47 +0100 (CET)
Message-ID: <52726125.1000802@greenbytes.de>
Date: Thu, 31 Oct 2013 14:54:45 +0100
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, secdir <secdir@ietf.org>, fielding@gbiv.com, mnot@pobox.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Mankin, Allison" <amankin@verisign.com>, HTTP Working Group <ietf-http-wg@w3.org>
References: <52700DE4.8020208@bbn.com>
In-Reply-To: <52700DE4.8020208@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] additional mechanisms on top of the auth framework, was: SECDIR review of draft-ietf-httpbis-p7-auth-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2013 13:54:56 -0000
On 2013-10-29 20:35, Stephen Kent wrote: > ... > Later on page 6 the text says: > > The HTTP protocol does not restrict applications to this simple > > challenge-response framework for access authentication.Additional > > mechanisms MAY be used, such as encryption at the transport level or > > via message encapsulation, and with additional header fields > > specifying authentication information.However, such additional > > mechanisms are not defined by this specification. > > Encryption is not, per se, an authentication mechanism. Please revise > this text. > ... OK. Maybe: "HTTP does not restrict applications to this simple challenge-response framework. Additional mechanisms can be used, such as additional header fields carrying authentication information, or encryption on the transport layer in order to provide confidentiality. However, such additional mechanisms are not defined by this specification." ? Best regards, Julian
- [secdir] SECDIR review of draft-ietf-httpbis-p7-a… Stephen Kent
- [secdir] RFC2119 vs "ought" etc, was: SECDIR revi… Julian Reschke
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Richard Barnes
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Stephen Kent
- [secdir] WWW-Authenticate parsing quirks, was: SE… Julian Reschke
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Richard Barnes
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Barry Leiba
- [secdir] Reuse of credentials per realm, was: SEC… Julian Reschke
- Re: [secdir] Reuse of credentials per realm, was:… Stephen Kent
- Re: [secdir] Reuse of credentials per realm, was:… Julian Reschke
- [secdir] proxies and forwarding of credentials, w… Julian Reschke
- [secdir] additional mechanisms on top of the auth… Julian Reschke
- Re: [secdir] Reuse of credentials per realm, was:… Stephen Kent
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] additional mechanisms on top of the … Nico Williams
- Re: [secdir] proxies and forwarding of credential… Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Stephen Kent
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] proxies and forwarding of credential… Stephen Kent
- Re: [secdir] proxies and forwarding of credential… Mark Nottingham
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] proxies and forwarding of credential… Stephen Kent