Changeset 1672
- Timestamp:
- 08/06/12 08:56:24 (10 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p7-auth.html
r1669 r1672 449 449 } 450 450 @bottom-center { 451 content: "Expires December 7, 2012";451 content: "Expires December 10, 2012"; 452 452 } 453 453 @bottom-right { … … 489 489 <meta name="dct.creator" content="Reschke, J. F."> 490 490 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest"> 491 <meta name="dct.issued" scheme="ISO8601" content="2012-06-0 5">491 <meta name="dct.issued" scheme="ISO8601" content="2012-06-08"> 492 492 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 493 493 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework."> … … 520 520 </tr> 521 521 <tr> 522 <td class="left">Expires: December 7, 2012</td>522 <td class="left">Expires: December 10, 2012</td> 523 523 <td class="right">greenbytes</td> 524 524 </tr> 525 525 <tr> 526 526 <td class="left"></td> 527 <td class="right">June 5, 2012</td>527 <td class="right">June 8, 2012</td> 528 528 </tr> 529 529 </tbody> … … 553 553 in progress”. 554 554 </p> 555 <p>This Internet-Draft will expire on December 7, 2012.</p>555 <p>This Internet-Draft will expire on December 10, 2012.</p> 556 556 <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1> 557 557 <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p> … … 608 608 <li>6. <a href="#security.considerations">Security Considerations</a><ul> 609 609 <li>6.1 <a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li> 610 <li>6.2 <a href="#protection.spaces">Protection Spaces</a></li> 610 611 </ul> 611 612 </li> … … 723 724 <div id="rfc.iref.p.1"></div> 724 725 <div id="rfc.iref.r.1"></div> 726 <div id="rfc.iref.c.3"></div> 725 727 <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a> <a id="protection.space" href="#protection.space">Protection Space (Realm)</a></h2> 726 728 <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection.</p> … … 806 808 </ul> 807 809 <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1> 808 <div id="rfc.iref.1 2"></div>810 <div id="rfc.iref.13"></div> 809 811 <div id="rfc.iref.s.1"></div> 810 812 <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a> <a id="status.401" href="#status.401">401 Unauthorized</a></h2> … … 814 816 information. 815 817 </p> 816 <div id="rfc.iref.1 3"></div>818 <div id="rfc.iref.14"></div> 817 819 <div id="rfc.iref.s.2"></div> 818 820 <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a> <a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2> … … 1003 1005 in this problem. In particular, user agents which cache credentials are encouraged to provide a readily accessible mechanism 1004 1006 for discarding cached credentials under user control. 1007 </p> 1008 <h2 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a> <a id="protection.spaces" href="#protection.spaces">Protection Spaces</a></h2> 1009 <p id="rfc.section.6.2.p.1">Authentication schemes that solely rely on the "realm" mechanism for establishing a protection space will expose credentials 1010 to all resources on a server. Clients that have successfully made authenticated requests with a resource can use the same 1011 authentication credentials for other resources on the same server. This makes it possible for a different resource to harvest 1012 authentication credentials for other resources. 1013 </p> 1014 <p id="rfc.section.6.2.p.2">This is of particular concern when a server hosts resources for multiple parties under the same canonical root URI (<a href="#protection.spaces" title="Protection Spaces">Section 6.2</a>). Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content 1015 of the Authorization request header field available), and separating protection spaces by using a different host name for 1016 each party. 1005 1017 </p> 1006 1018 <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a> <a id="acks" href="#acks">Acknowledgments</a></h1> … … 1130 1142 <p id="rfc.section.C.1.p.1">Closed issues: </p> 1131 1143 <ul> 1144 <li> <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/348">http://tools.ietf.org/wg/httpbis/trac/ticket/348</a>>: "Realms and scope" 1145 </li> 1132 1146 <li> <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/349">http://tools.ietf.org/wg/httpbis/trac/ticket/349</a>>: "Strength" 1133 1147 </li> … … 1139 1153 <ul class="ind"> 1140 1154 <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul> 1141 <li>401 Unauthorized (status code) <a href="#rfc.iref.1 2"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>1142 <li>407 Proxy Authentication Required (status code) <a href="#rfc.iref.1 3"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>1155 <li>401 Unauthorized (status code) <a href="#rfc.iref.13"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li> 1156 <li>407 Proxy Authentication Required (status code) <a href="#rfc.iref.14"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li> 1143 1157 </ul> 1144 1158 </li> … … 1154 1168 </li> 1155 1169 <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul> 1170 <li>Canonical Root URI <a href="#rfc.iref.c.3">2.2</a></li> 1156 1171 <li><tt>challenge</tt> <a href="#rfc.iref.c.1"><b>2.1</b></a></li> 1157 1172 <li><tt>credentials</tt> <a href="#rfc.iref.c.2"><b>2.1</b></a></li> -
draft-ietf-httpbis/latest/p7-auth.xml
r1669 r1672 342 342 <iref item="Protection Space"/> 343 343 <iref item="Realm"/> 344 <iref item="Canonical Root URI"/> 344 345 <t> 345 346 The authentication parameter realm is reserved for use by authentication … … 804 805 </t> 805 806 </section> 807 808 <section title="Protection Spaces" anchor="protection.spaces"> 809 <t> 810 Authentication schemes that solely rely on the "realm" mechanism for 811 establishing a protection space will expose credentials to all resources on a 812 server. Clients that have successfully made authenticated requests with a 813 resource can use the same authentication credentials for other resources on 814 the same server. This makes it possible for a different resource to harvest 815 authentication credentials for other resources. 816 </t> 817 <t> 818 This is of particular concern when a server hosts resources for multiple 819 parties under the same canonical root URI (<xref target="protection.spaces"/>). 820 Possible mitigation strategies include restricting direct access to 821 authentication credentials (i.e., not making the content of the 822 Authorization request header field available), and separating protection 823 spaces by using a different host name for each party. 824 </t> 825 </section> 806 826 </section> 807 827 … … 1128 1148 <list style="symbols"> 1129 1149 <t> 1150 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/348"/>: 1151 "Realms and scope" 1152 </t> 1153 <t> 1130 1154 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>: 1131 1155 "Strength"
Note: See TracChangeset
for help on using the changeset viewer.