Ignore:
Timestamp:
Jun 8, 2012, 1:56:24 AM (7 years ago)
Author:
julian.reschke@…
Message:

add security consideration wrt realms (see #348)

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r1669 r1672  
    449449  }
    450450  @bottom-center {
    451        content: "Expires December 7, 2012";
     451       content: "Expires December 10, 2012";
    452452  }
    453453  @bottom-right {
     
    489489      <meta name="dct.creator" content="Reschke, J. F.">
    490490      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
    491       <meta name="dct.issued" scheme="ISO8601" content="2012-06-05">
     491      <meta name="dct.issued" scheme="ISO8601" content="2012-06-08">
    492492      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    493493      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework.">
     
    520520            </tr>
    521521            <tr>
    522                <td class="left">Expires: December 7, 2012</td>
     522               <td class="left">Expires: December 10, 2012</td>
    523523               <td class="right">greenbytes</td>
    524524            </tr>
    525525            <tr>
    526526               <td class="left"></td>
    527                <td class="right">June 5, 2012</td>
     527               <td class="right">June 8, 2012</td>
    528528            </tr>
    529529         </tbody>
     
    553553         in progress”.
    554554      </p>
    555       <p>This Internet-Draft will expire on December 7, 2012.</p>
     555      <p>This Internet-Draft will expire on December 10, 2012.</p>
    556556      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    557557      <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
     
    608608         <li>6.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a><ul>
    609609               <li>6.1&nbsp;&nbsp;&nbsp;<a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li>
     610               <li>6.2&nbsp;&nbsp;&nbsp;<a href="#protection.spaces">Protection Spaces</a></li>
    610611            </ul>
    611612         </li>
     
    723724      <div id="rfc.iref.p.1"></div>
    724725      <div id="rfc.iref.r.1"></div>
     726      <div id="rfc.iref.c.3"></div>
    725727      <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="protection.space" href="#protection.space">Protection Space (Realm)</a></h2>
    726728      <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection.</p>
     
    806808      </ul>
    807809      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1>
    808       <div id="rfc.iref.12"></div>
     810      <div id="rfc.iref.13"></div>
    809811      <div id="rfc.iref.s.1"></div>
    810812      <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2>
     
    814816         information.
    815817      </p>
    816       <div id="rfc.iref.13"></div>
     818      <div id="rfc.iref.14"></div>
    817819      <div id="rfc.iref.s.2"></div>
    818820      <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2>
     
    10031005         in this problem. In particular, user agents which cache credentials are encouraged to provide a readily accessible mechanism
    10041006         for discarding cached credentials under user control.
     1007      </p>
     1008      <h2 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a>&nbsp;<a id="protection.spaces" href="#protection.spaces">Protection Spaces</a></h2>
     1009      <p id="rfc.section.6.2.p.1">Authentication schemes that solely rely on the "realm" mechanism for establishing a protection space will expose credentials
     1010         to all resources on a server. Clients that have successfully made authenticated requests with a resource can use the same
     1011         authentication credentials for other resources on the same server. This makes it possible for a different resource to harvest
     1012         authentication credentials for other resources.
     1013      </p>
     1014      <p id="rfc.section.6.2.p.2">This is of particular concern when a server hosts resources for multiple parties under the same canonical root URI (<a href="#protection.spaces" title="Protection Spaces">Section&nbsp;6.2</a>). Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content
     1015         of the Authorization request header field available), and separating protection spaces by using a different host name for
     1016         each party.
    10051017      </p>
    10061018      <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a>&nbsp;<a id="acks" href="#acks">Acknowledgments</a></h1>
     
    11301142      <p id="rfc.section.C.1.p.1">Closed issues: </p>
    11311143      <ul>
     1144         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/348">http://tools.ietf.org/wg/httpbis/trac/ticket/348</a>&gt;: "Realms and scope"
     1145         </li>
    11321146         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/349">http://tools.ietf.org/wg/httpbis/trac/ticket/349</a>&gt;: "Strength"
    11331147         </li>
     
    11391153         <ul class="ind">
    11401154            <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul>
    1141                   <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.12"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
    1142                   <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
     1155                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
     1156                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.14"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
    11431157               </ul>
    11441158            </li>
     
    11541168            </li>
    11551169            <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul>
     1170                  <li>Canonical Root URI&nbsp;&nbsp;<a href="#rfc.iref.c.3">2.2</a></li>
    11561171                  <li><tt>challenge</tt>&nbsp;&nbsp;<a href="#rfc.iref.c.1"><b>2.1</b></a></li>
    11571172                  <li><tt>credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.c.2"><b>2.1</b></a></li>
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1669 r1672  
    342342  <iref item="Protection Space"/>
    343343  <iref item="Realm"/>
     344  <iref item="Canonical Root URI"/>
    344345<t>
    345346   The authentication parameter realm is reserved for use by authentication
     
    804805</t>
    805806</section>
     807
     808<section title="Protection Spaces" anchor="protection.spaces">
     809<t>
     810  Authentication schemes that solely rely on the "realm" mechanism for
     811  establishing a protection space will expose credentials to all resources on a
     812  server. Clients that have successfully made authenticated requests with a
     813  resource can use the same authentication credentials for other resources on
     814  the same server. This makes it possible for a different resource to harvest
     815  authentication credentials for other resources.
     816</t>
     817<t>
     818  This is of particular concern when a server hosts resources for multiple
     819  parties under the same canonical root URI (<xref target="protection.spaces"/>).
     820  Possible mitigation strategies include restricting direct access to
     821  authentication credentials (i.e., not making the content of the
     822  Authorization request header field available), and separating protection
     823  spaces by using a different host name for each party.
     824</t>
     825</section>
    806826</section>
    807827
     
    11281148  <list style="symbols">
    11291149    <t>
     1150      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/348"/>:
     1151      "Realms and scope"
     1152    </t>
     1153    <t>
    11301154      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>:
    11311155      "Strength"
Note: See TracChangeset for help on using the changeset viewer.