Changeset 2399

Timestamp:

15/09/13 00:56:07 (7 years ago)

Author:

fielding@…

Message:

(editorial) replace obsolete text on lack of HTTP support for logout

Location:

draft-ietf-httpbis/latest

Files:

• p7-auth.html (modified) (2 diffs)
• p7-auth.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -937 +937 @@
       </p>
       <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a>&nbsp;<a id="auth.credentials.and.idle.clients" href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></h2>
-      <p id="rfc.section.6.1.p.1">Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide
-         a method for a server to direct clients to discard these cached credentials. This is a significant defect that requires further
-         extensions to HTTP. Circumstances under which credential caching can interfere with the application's security model include
-         but are not limited to: 
+      <p id="rfc.section.6.1.p.1">Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP does not provide a mechanism
+         for the origin server to direct clients to discard these cached credentials, since the protocol has no awareness of how credentials
+         are obtained or managed by the user agent. The mechanisms for expiring or revoking credentials can be specified as part of
+         an authentication scheme definition.
+      </p>
+      <p id="rfc.section.6.1.p.2">Circumstances under which credential caching can interfere with the application's security model include but are not limited
+         to: 
       </p>
       <ul>
@@ -950 +953 @@
          </li>
       </ul>
-      <p id="rfc.section.6.1.p.2">This is currently under separate study. There are a number of work-arounds to parts of this problem, and we encourage the
-         use of password protection in screen savers, idle time-outs, and other methods that mitigate the security problems inherent
-         in this problem. In particular, user agents that cache credentials are encouraged to provide a readily accessible mechanism
-         for discarding cached credentials under user control.
+      <p id="rfc.section.6.1.p.3">User agents that cache credentials are encouraged to provide a readily accessible mechanism for discarding cached credentials
+         under user control.
       </p>
       <h2 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a>&nbsp;<a id="protection.spaces" href="#protection.spaces">Protection Spaces</a></h2>

draft-ietf-httpbis/latest/p7-auth.xml

@@ -689 +689 @@
 <t>
    Existing HTTP clients and user agents typically retain authentication
-   information indefinitely. HTTP/1.1 does not provide a method for a
-   server to direct clients to discard these cached credentials. This is
-   a significant defect that requires further extensions to HTTP.
+   information indefinitely. HTTP does not provide a mechanism for the
+   origin server to direct clients to discard these cached credentials, since
+   the protocol has no awareness of how credentials are obtained or managed
+   by the user agent. The mechanisms for expiring or revoking credentials can
+   be specified as part of an authentication scheme definition.
+</t>
+<t>
    Circumstances under which credential caching can interfere with the
    application's security model include but are not limited to:
@@ -706 +710 @@
 </t>
 <t>
-   This is currently under separate study. There are a number of work-arounds
-   to parts of this problem, and we encourage the use of
-   password protection in screen savers, idle time-outs, and other
-   methods that mitigate the security problems inherent in this
-   problem. In particular, user agents that cache credentials are
-   encouraged to provide a readily accessible mechanism for discarding
-   cached credentials under user control.
+   User agents that cache credentials are encouraged to provide a readily
+   accessible mechanism for discarding cached credentials under user control.
 </t>
 </section>