Changeset 216 for draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.html

Timestamp:

22/02/08 19:16:51 (12 years ago)

Author:

paul.hoffman@…

Message:

Checked in 01 of security, also modded the Makefile for my setup.

File:

• draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.html (modified) (16 diffs)

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.html

@@ -297 +297 @@
   } 
   @top-right {
-       content: "January 2008"; 
+       content: " 2008"; 
   } 
   @top-center {
@@ -337 +337 @@
       <meta name="DC.Creator" content="Hoffman, P.">
       <meta name="DC.Creator" content="Melnikov, A.">
-      <meta name="DC.Identifier" content="urn:ietf:id:draft-ietf-httpbis-security-properties-latest">
-      <meta name="DC.Date.Issued" scheme="ISO8601" content="2008-01">
+      <meta name="DC.Identifier" content="urn:ietf:id:draft-ietf-httpbis-security-properties-01.txt">
+      <meta name="DC.Date.Issued" scheme="ISO8601" content="2008-WRONG SYNTAX FOR MONTH">
       <meta name="DC.Description.Abstract" content="Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement security mechanisms, so that all conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes the trade-offs of each.">
    </head>
@@ -353 +353 @@
          <tr>
             <td class="header left">
-               &lt;draft-ietf-httpbis-security-properties-latest&gt;
+               &lt;draft-ietf-httpbis-security-properties-01.txt&gt;
                
             </td>
@@ -363 +363 @@
          </tr>
          <tr>
-            <td class="header left">Expires: July 2008</td>
-            <td class="header right">January 2008</td>
+            <td class="header left">Expires: WRONG SYNTAX FOR MONTH</td>
+            <td class="header right"> 2008</td>
          </tr>
       </table>
-      <p class="title">Security Requirements for HTTP<br><span class="filename">draft-ietf-httpbis-security-properties-latest</span></p>
+      <p class="title">Security Requirements for HTTP<br><span class="filename">draft-ietf-httpbis-security-properties-01.txt</span><div class="error">WARNING: The @docName attribute should contain the base name, not the filename (thus no file extension).</div>
+      </p>
       <h1><a id="rfc.status" href="#rfc.status">Status of this Memo</a></h1>
       <p>By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she
@@ -384 +385 @@
       <p>The list of Internet-Draft Shadow Directories can be accessed at &lt;<a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>&gt;.
       </p>
-      <p>This Internet-Draft will expire in July 2008.</p>
+      <p>This Internet-Draft will expire in WRONG SYNTAX FOR MONTH.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © The IETF Trust (2008). All Rights Reserved.</p>
@@ -396 +397 @@
       </h1>
       <p id="rfc.section.1.p.1">Recent IESG practice dictates that IETF protocols are required to specify mandatory to implement security mechanisms. "The
-         IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementors to provide strong security. RFC 3365 does not define
+         IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementers to provide strong security. RFC 3365 does not define
          the term "strong security".
       </p>
@@ -402 +403 @@
       </p>
       <div id="rfc.figure.u.1"></div><pre>
-   We have evolved in the IETF the notion of "mandatory to implement"
-   mechanisms.  This philosophy evolves from our primary desire to
-   ensure interoperability between different implementations of a
-   protocol.  If a protocol offers many options for how to perform a
-   particular task, but fails to provide for at least one that all
-   must implement, it may be possible that multiple, non-interoperable
-   implementations may result.  This is the consequence of the
-   selection of non-overlapping mechanisms being deployed in the
-   different implementations.
+  We have evolved in the IETF the notion of "mandatory to implement"
+  mechanisms.  This philosophy evolves from our primary desire to
+  ensure interoperability between different implementations of a
+  protocol.  If a protocol offers many options for how to perform a
+  particular task, but fails to provide for at least one that all
+  must implement, it may be possible that multiple, non-interoperable
+  implementations may result.  This is the consequence of the
+  selection of non-overlapping mechanisms being deployed in the
+  different implementations.
 </pre><p id="rfc.section.1.p.4">This document examines the effects of applying security constraints to Web applications, documents the properties that result
          from each method, and will make Best Current Practice recommendations for HTTP security in a later document version. At the
@@ -419 +420 @@
       </h1>
       <p id="rfc.section.2.p.1">For HTTP, the IETF generally defines "security mechanisms" as some combination of access authentication and/or a secure transport.</p>
+      <p id="rfc.section.2.p.2">[[ There is a suggestion that this section be split into "browser-like" and "automation-like" subsections. ]]</p>
+      <p id="rfc.section.2.p.3">[[ NTLM (shudder) was brought up in the WG a few times in the discussion of the -00 draft. Should we add a section on it?
+         ]]
+      </p>
       <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;Forms And Cookies
       </h2>
-      <p id="rfc.section.2.1.p.1">Almost all HTTP authentication is accomplished through HTML forms, with session keys stored in cookies. For cookies, most
-         implementations rely on the "Netscape specification", which is described loosely in section 10 of "HTTP State Management Mechanism" <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. The protocol in RFC 2109 is relatively widely implemented, but most clients don't advertise support for it. RFC 2109 was
+      <p id="rfc.section.2.1.p.1">Almost all HTTP authentication that involves a human using a web browser is accomplished through HTML forms, with session
+         identifiers stored in cookies. For cookies, most implementations rely on the "Netscape specification", which is described
+         loosely in section 10 of "HTTP State Management Mechanism" <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. The protocol in RFC 2109 is relatively widely implemented, but most clients don't advertise support for it. RFC 2109 was
          later updated <a href="#RFC2965"><cite title="HTTP State Management Mechanism">[RFC2965]</cite></a>, but the newer version is not widely implemented.
       </p>
-      <p id="rfc.section.2.1.p.2">Forms and cookies have number of properties that make them an excellent solution for some implementors. However, many of those
+      <p id="rfc.section.2.1.p.2">Forms and cookies have many properties that make them an excellent solution for some implementers. However, many of those
          properties introduce serious security trade-offs.
       </p>
       <p id="rfc.section.2.1.p.3">HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases
-         user reliance on the appearance of the interface. Many users do not understand the construction of URIs <a href="#RFC3986"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, or their presentation in common clients [[ CITATION NEEDED ]]. As a result, forms are extremely vulnerable to spoofing.
+         user reliance on the appearance of the interface. Many users do not understand the construction of URIs <a href="#RFC3986"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, or their presentation in common clients <a href="#PhishingHOWTO"><cite title="Phishing Tips and Techniques">[PhishingHOWTO]</cite></a>. As a result, forms are extremely vulnerable to spoofing.
       </p>
       <p id="rfc.section.2.1.p.4">HTML forms provide acceptable internationalization if used carefully, at the cost of being transmitted as normal HTTP content
@@ -437 +443 @@
          autocomplete ]]
       </p>
-      <p id="rfc.section.2.1.p.6">The cookies that result from a successful form submission make it unessecary to validate credentials with each HTTP request;
+      <p id="rfc.section.2.1.p.6">The cookies that result from a successful form submission make it unnecessary to validate credentials with each HTTP request;
          this makes cookies an excellent property for scalability. Cookies are susceptible to a large variety of XSS (cross-site scripting)
          attacks, and measures to prevent such attacks will never be as stringent as necessary for authentication credentials because
@@ -445 +451 @@
       </p>
       <p id="rfc.section.2.1.p.7">HTML forms and cookies provide flexible ways of ending a session from the client.</p>
-      <p id="rfc.section.2.1.p.8">HTML forms require an HTML rendering engine, which many protocols have no use for.</p>
+      <p id="rfc.section.2.1.p.8">HTML forms require an HTML rendering engine for which many protocols have no use.</p>
       <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;HTTP Access Authentication
       </h2>
-      <p id="rfc.section.2.2.p.1">HTTP 1.1 provides a simple authentication framework, and "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a> defines two optional mechanisms. Both of these mechanisms are extremely rarely used in comparison to forms and cookies, but
-         some degree of support for one or both is available in many implementations. Neither scheme provides presentation control,
+      <p id="rfc.section.2.2.p.1">HTTP 1.1 provides a simple authentication framework, "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, which defines two optional mechanisms. Both of these mechanisms are extremely rarely used in comparison to forms and cookies,
+         but some degree of support for one or both is available in many implementations. Neither scheme provides presentation control,
          logout capabilities, or interoperable internationalization.
       </p>
@@ -475 +481 @@
       </p>
       <p id="rfc.section.2.2.2.p.3">Digest includes many modes of operation, but only the simplest modes enjoy any degree of interoperability. For example, most
-         implementations do not implement the mode that provides full message integrity. Additionally, implementation experience has
-         shown that the message integrity mode is impractical because it requires servers to analyze the full request before determining
-         whether the client knows the shared secret.
+         implementations do not implement the mode that provides full message integrity. Perhaps one reason is that implementation
+         experience has shown that in some cases, especially those involving large requests or responses such as streams, the message
+         integrity mode is impractical because it requires servers to analyze the full request before determining whether the client
+         knows the shared secret or whether message-body integrity has been violated and hence whether the request can be processed.
       </p>
       <p id="rfc.section.2.2.2.p.4">Digest is extremely susceptible to offline dictionary attacks, making it practical for attackers to perform a namespace walk
@@ -484 +491 @@
       <p id="rfc.section.2.2.2.p.5">Many of the most widely-deployed HTTP/1.1 clients are not compliant when GET requests include a query string <a href="#Apache_Digest"><cite title="Apache HTTP Server - mod_auth_digest">[Apache_Digest]</cite></a>.
       </p>
-      <p id="rfc.section.2.2.2.p.6">Digest either requires that authentication databases be expressly designed to accomodate it, or requires access to cleartext
+      <p id="rfc.section.2.2.2.p.6">Digest either requires that authentication databases be expressly designed to accommodate it, or requires access to cleartext
          passwords. As a result, many authentication databases that chose to do the former are incompatible, including the most common
          method of storing passwords for use with Forms and Cookies.
@@ -497 +504 @@
       <h4 id="rfc.section.2.2.3.1"><a href="#rfc.section.2.2.3.1">2.2.3.1</a>&nbsp;Negotiate (GSS-API) Authentication
       </h4>
-      <p id="rfc.section.2.2.3.1.p.1">[[ A discussion about "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows" <a href="#RFC4559"><cite title="SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows">[RFC4559]</cite></a> goes here.]]
+      <p id="rfc.section.2.2.3.1.p.1">[[ A discussion about "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows" <a href="#RFC4559"><cite title="SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows">[RFC4559]</cite></a> goes here. ]]
       </p>
       <h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;Centrally-Issued Tickets
@@ -514 +521 @@
          TCP. Like the amalgam of HTTP technologies mentioned above, the XML-based protocols are defined by an ever-changing combination
          of standard and vendor-produced specifications, some of which may be obsoleted at any time <a href="#WS-Pagecount"><cite title="WS-Pagecount">[WS-Pagecount]</cite></a> without any documented change control procedures. These protocols usually don't have much in common with the Architecture
-         of the World Wide Web. It's not clear why term "Web" is used to group them, but they are obviously out of scope for HTTP-based
+         of the World Wide Web. It's not clear why the term "Web" is used to group them, but they are obviously out of scope for HTTP-based
          application protocols.
       </p>
+      <p id="rfc.section.2.4.p.2">[[ This section could really use a good definition of "Web Services" to differentiate it from REST. ]]</p>
       <h2 id="rfc.section.2.5"><a href="#rfc.section.2.5">2.5</a>&nbsp;Transport Layer Security
       </h2>
@@ -593 +601 @@
          </tr>  
          <tr>
+            <td class="reference"><b id="PhishingHOWTO">[PhishingHOWTO]</b></td>
+            <td class="top">Gutmann, P., “<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">Phishing Tips and Techniques</a>”, February&nbsp;2008, &lt;<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf</a>&gt;.
+            </td>
+         </tr>  
+         <tr>
             <td class="reference"><b id="WS-Pagecount">[WS-Pagecount]</b></td>
             <td class="top">Bray, T., “<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">WS-Pagecount</a>”, September&nbsp;2004, &lt;<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research</a>&gt;.
@@ -605 +618 @@
       <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;Acknowledgements
       </h1>
-      <p id="rfc.section.A.p.1">Much of the material in this document was written by Rob Sayre, who first promoted the topic.</p>
+      <p id="rfc.section.A.p.1">Much of the material in this document was written by Rob Sayre, who first promoted the topic. Many others on the HTTPbis Working
+         Group have contributed to this document in the discussion.
+      </p>
       <hr class="noprint">
       <h1 id="rfc.section.B" class="np"><a href="#rfc.section.B">B.</a>&nbsp;Document History
       </h1>
       <p id="rfc.section.B.p.1">[This entire section is to be removed when published as an RFC.]</p>
-      <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and   draft-ietf-http-security-properties-00
+      <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and   draft-ietf-httpbis-security-properties-00
       </h2>
       <p id="rfc.section.B.1.p.1">Changed the authors to Paul Hoffman and Alexey Melnikov, with permission of Rob Sayre.</p>
       <p id="rfc.section.B.1.p.2">Made lots of minor editorial changes.</p>
       <p id="rfc.section.B.1.p.3">Removed what was section 2 (Requirements Notation), the reference to RFC 2119, and any use of 2119ish all-caps words.</p>
-      <p id="rfc.section.B.1.p.4">In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1 repertoire" to match the defintion of "TEXT" in RFC 2616.</p>
+      <p id="rfc.section.B.1.p.4">In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1 repertoire" to match the definition of "TEXT" in RFC 2616.</p>
       <p id="rfc.section.B.1.p.5">Added minor text to the Security Considerations section.</p>
       <p id="rfc.section.B.1.p.6">Added URLs to the two non-RFC references.</p>
+      <h2 id="rfc.section.B.2"><a href="#rfc.section.B.2">B.2</a>&nbsp;Changes between -00 and -01
+      </h2>
+      <p id="rfc.section.B.2.p.1">Fixed some editorial nits reported by Iain Calder.</p>
+      <p id="rfc.section.B.2.p.2">Added the suggestions about splitting for browsers and automation, and about adding NTLM, to be beginning of 2.</p>
+      <p id="rfc.section.B.2.p.3">In 2.1, added "that involves a human using a web browser" in the first sentence.</p>
+      <p id="rfc.section.B.2.p.4">In 2.1, changed "session key" to "session identifier".</p>
+      <p id="rfc.section.B.2.p.5">In 2.2.2, changed </p>
+      <div id="rfc.figure.u.2"></div><pre>
+Digest includes many modes of operation, but only the simplest modes
+enjoy any degree of interoperability.  For example, most
+implementations do not implement the mode that provides full message
+integrity.  Additionally, implementation experience has shown that
+the message integrity mode is impractical because it requires servers
+to analyze the full request before determining whether the client
+knows the shared secret.
+</pre><p> to </p>
+      <div id="rfc.figure.u.3"></div><pre>
+Digest includes many modes of operation, but only the simplest
+modes enjoy any degree of interoperability.  For example, most
+implementations do not implement the mode that provides full message
+integrity.  Perhaps one reason is that implementation experience has
+shown that in some cases, especially those involving large requests
+or responses such as streams, the message integrity mode is
+impractical because it requires servers to analyze the full request
+before determining whether the client knows the shared secret or
+whether message-body integrity has been violated and hence whether
+the request can be processed.
+</pre><p id="rfc.section.B.2.p.6">In 2.4, asked for a definition of "Web Services".</p>
+      <p id="rfc.section.B.2.p.7">In A, added the WG.</p>
       <h1><a id="rfc.copyright" href="#rfc.copyright">Full Copyright Statement</a></h1>
       <p>Copyright © The IETF Trust (2008).</p>