Changeset 1672

Timestamp:

Jun 8, 2012, 1:56:24 AM (7 years ago)

Author:

julian.reschke@…

Message:

add security consideration wrt realms (see #348)

Location:

draft-ietf-httpbis/latest

Files:

• p7-auth.html (modified) (12 diffs)
• p7-auth.xml (modified) (3 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -449 +449 @@
   } 
   @bottom-center {
-       content: "Expires December 7, 2012"; 
+       content: "Expires December 10, 2012"; 
   } 
   @bottom-right {
@@ -489 +489 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2012-06-05">
+      <meta name="dct.issued" scheme="ISO8601" content="2012-06-08">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework.">
@@ -520 +520 @@
             </tr>
             <tr>
-               <td class="left">Expires: December 7, 2012</td>
+               <td class="left">Expires: December 10, 2012</td>
                <td class="right">greenbytes</td>
             </tr>
             <tr>
                <td class="left"></td>
-               <td class="right">June 5, 2012</td>
+               <td class="right">June 8, 2012</td>
             </tr>
          </tbody>
@@ -553 +553 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on December 7, 2012.</p>
+      <p>This Internet-Draft will expire on December 10, 2012.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
@@ -608 +608 @@
          <li>6.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a><ul>
                <li>6.1&nbsp;&nbsp;&nbsp;<a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li>
+               <li>6.2&nbsp;&nbsp;&nbsp;<a href="#protection.spaces">Protection Spaces</a></li>
             </ul>
          </li>
@@ -723 +724 @@
       <div id="rfc.iref.p.1"></div>
       <div id="rfc.iref.r.1"></div>
+      <div id="rfc.iref.c.3"></div>
       <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="protection.space" href="#protection.space">Protection Space (Realm)</a></h2>
       <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection.</p>
@@ -806 +808 @@
       </ul>
       <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1>
-      <div id="rfc.iref.12"></div>
+      <div id="rfc.iref.13"></div>
       <div id="rfc.iref.s.1"></div>
       <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2>
@@ -814 +816 @@
          information.
       </p>
-      <div id="rfc.iref.13"></div>
+      <div id="rfc.iref.14"></div>
       <div id="rfc.iref.s.2"></div>
       <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2>
@@ -1003 +1005 @@
          in this problem. In particular, user agents which cache credentials are encouraged to provide a readily accessible mechanism
          for discarding cached credentials under user control.
+      </p>
+      <h2 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a>&nbsp;<a id="protection.spaces" href="#protection.spaces">Protection Spaces</a></h2>
+      <p id="rfc.section.6.2.p.1">Authentication schemes that solely rely on the "realm" mechanism for establishing a protection space will expose credentials
+         to all resources on a server. Clients that have successfully made authenticated requests with a resource can use the same
+         authentication credentials for other resources on the same server. This makes it possible for a different resource to harvest
+         authentication credentials for other resources.
+      </p>
+      <p id="rfc.section.6.2.p.2">This is of particular concern when a server hosts resources for multiple parties under the same canonical root URI (<a href="#protection.spaces" title="Protection Spaces">Section&nbsp;6.2</a>). Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content
+         of the Authorization request header field available), and separating protection spaces by using a different host name for
+         each party.
       </p>
       <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a>&nbsp;<a id="acks" href="#acks">Acknowledgments</a></h1>
@@ -1130 +1142 @@
       <p id="rfc.section.C.1.p.1">Closed issues: </p>
       <ul>
+         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/348">http://tools.ietf.org/wg/httpbis/trac/ticket/348</a>&gt;: "Realms and scope"
+         </li>
          <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/349">http://tools.ietf.org/wg/httpbis/trac/ticket/349</a>&gt;: "Strength"
          </li>
@@ -1139 +1153 @@
          <ul class="ind">
             <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul>
-                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.12"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
-                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
+                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
+                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.14"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
                </ul>
             </li>
@@ -1154 +1168 @@
             </li>
             <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul>
+                  <li>Canonical Root URI&nbsp;&nbsp;<a href="#rfc.iref.c.3">2.2</a></li>
                   <li><tt>challenge</tt>&nbsp;&nbsp;<a href="#rfc.iref.c.1"><b>2.1</b></a></li>
                   <li><tt>credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.c.2"><b>2.1</b></a></li>

draft-ietf-httpbis/latest/p7-auth.xml

@@ -342 +342 @@
   <iref item="Protection Space"/>
   <iref item="Realm"/>
+  <iref item="Canonical Root URI"/>
 <t>
    The authentication parameter realm is reserved for use by authentication
@@ -804 +805 @@
 </t>
 </section>
+
+<section title="Protection Spaces" anchor="protection.spaces">
+<t>
+  Authentication schemes that solely rely on the "realm" mechanism for
+  establishing a protection space will expose credentials to all resources on a
+  server. Clients that have successfully made authenticated requests with a
+  resource can use the same authentication credentials for other resources on
+  the same server. This makes it possible for a different resource to harvest
+  authentication credentials for other resources.
+</t>
+<t>
+  This is of particular concern when a server hosts resources for multiple
+  parties under the same canonical root URI (<xref target="protection.spaces"/>).
+  Possible mitigation strategies include restricting direct access to
+  authentication credentials (i.e., not making the content of the
+  Authorization request header field available), and separating protection
+  spaces by using a different host name for each party.
+</t>
+</section>
 </section>
 
@@ -1128 +1148 @@
   <list style="symbols">
     <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/348"/>:
+      "Realms and scope"
+    </t>
+    <t>
       <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>:
       "Strength"