08/06/12 08:56:24 (11 years ago)

add security consideration wrt realms (see #348)

1 edited


  • draft-ietf-httpbis/latest/p7-auth.html

    r1669 r1672  
    449449  }
    450450  @bottom-center {
    451        content: "Expires December 7, 2012";
     451       content: "Expires December 10, 2012";
    452452  }
    453453  @bottom-right {
    489489      <meta name="dct.creator" content="Reschke, J. F.">
    490490      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
    491       <meta name="dct.issued" scheme="ISO8601" content="2012-06-05">
     491      <meta name="dct.issued" scheme="ISO8601" content="2012-06-08">
    492492      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    493493      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework.">
    520520            </tr>
    521521            <tr>
    522                <td class="left">Expires: December 7, 2012</td>
     522               <td class="left">Expires: December 10, 2012</td>
    523523               <td class="right">greenbytes</td>
    524524            </tr>
    525525            <tr>
    526526               <td class="left"></td>
    527                <td class="right">June 5, 2012</td>
     527               <td class="right">June 8, 2012</td>
    528528            </tr>
    529529         </tbody>
    553553         in progress”.
    554554      </p>
    555       <p>This Internet-Draft will expire on December 7, 2012.</p>
     555      <p>This Internet-Draft will expire on December 10, 2012.</p>
    556556      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    557557      <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
    608608         <li>6.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a><ul>
    609609               <li>6.1&nbsp;&nbsp;&nbsp;<a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li>
     610               <li>6.2&nbsp;&nbsp;&nbsp;<a href="#protection.spaces">Protection Spaces</a></li>
    610611            </ul>
    611612         </li>
    723724      <div id="rfc.iref.p.1"></div>
    724725      <div id="rfc.iref.r.1"></div>
     726      <div id="rfc.iref.c.3"></div>
    725727      <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="protection.space" href="#protection.space">Protection Space (Realm)</a></h2>
    726728      <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection.</p>
    806808      </ul>
    807809      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1>
    808       <div id="rfc.iref.12"></div>
     810      <div id="rfc.iref.13"></div>
    809811      <div id="rfc.iref.s.1"></div>
    810812      <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2>
    814816         information.
    815817      </p>
    816       <div id="rfc.iref.13"></div>
     818      <div id="rfc.iref.14"></div>
    817819      <div id="rfc.iref.s.2"></div>
    818820      <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2>
    10031005         in this problem. In particular, user agents which cache credentials are encouraged to provide a readily accessible mechanism
    10041006         for discarding cached credentials under user control.
     1007      </p>
     1008      <h2 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a>&nbsp;<a id="protection.spaces" href="#protection.spaces">Protection Spaces</a></h2>
     1009      <p id="rfc.section.6.2.p.1">Authentication schemes that solely rely on the "realm" mechanism for establishing a protection space will expose credentials
     1010         to all resources on a server. Clients that have successfully made authenticated requests with a resource can use the same
     1011         authentication credentials for other resources on the same server. This makes it possible for a different resource to harvest
     1012         authentication credentials for other resources.
     1013      </p>
     1014      <p id="rfc.section.6.2.p.2">This is of particular concern when a server hosts resources for multiple parties under the same canonical root URI (<a href="#protection.spaces" title="Protection Spaces">Section&nbsp;6.2</a>). Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content
     1015         of the Authorization request header field available), and separating protection spaces by using a different host name for
     1016         each party.
    10051017      </p>
    10061018      <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a>&nbsp;<a id="acks" href="#acks">Acknowledgments</a></h1>
    11301142      <p id="rfc.section.C.1.p.1">Closed issues: </p>
    11311143      <ul>
     1144         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/348">http://tools.ietf.org/wg/httpbis/trac/ticket/348</a>&gt;: "Realms and scope"
     1145         </li>
    11321146         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/349">http://tools.ietf.org/wg/httpbis/trac/ticket/349</a>&gt;: "Strength"
    11331147         </li>
    11391153         <ul class="ind">
    11401154            <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul>
    1141                   <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.12"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
    1142                   <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
     1155                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
     1156                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.14"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
    11431157               </ul>
    11441158            </li>
    11541168            </li>
    11551169            <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul>
     1170                  <li>Canonical Root URI&nbsp;&nbsp;<a href="#rfc.iref.c.3">2.2</a></li>
    11561171                  <li><tt>challenge</tt>&nbsp;&nbsp;<a href="#rfc.iref.c.1"><b>2.1</b></a></li>
    11571172                  <li><tt>credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.c.2"><b>2.1</b></a></li>
Note: See TracChangeset for help on using the changeset viewer.