Changeset 2568


Ignore:
Timestamp:
23/01/14 09:13:32 (7 years ago)
Author:
fielding@…
Message:

(editorial) update security section intro for p7; see #520 and #549

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • draft-ietf-httpbis/latest/p7-auth.html

    r2558 r2568  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 21, 2014";
     450       content: "Expires July 27, 2014";
    451451  }
    452452  @bottom-right {
     
    488488      <meta name="dct.creator" content="Reschke, J. F.">
    489489      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
    490       <meta name="dct.issued" scheme="ISO8601" content="2014-01-17">
     490      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
    491491      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    492492      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.">
     
    516516            <tr>
    517517               <td class="left">Intended status: Standards Track</td>
    518                <td class="right">January 17, 2014</td>
     518               <td class="right">January 23, 2014</td>
    519519            </tr>
    520520            <tr>
    521                <td class="left">Expires: July 21, 2014</td>
     521               <td class="left">Expires: July 27, 2014</td>
    522522               <td class="right"></td>
    523523            </tr>
     
    546546            in progress”.
    547547         </p>
    548          <p>This Internet-Draft will expire on July 21, 2014.</p>
     548         <p>This Internet-Draft will expire on July 27, 2014.</p>
    549549      </div>
    550550      <div id="rfc.copyrightnotice">
     
    974974      <div id="security.considerations">
    975975         <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    976          <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1
    977             authentication. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    978          </p>
    979          <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
    980             as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
     976         <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP authentication.
     977            More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
     978         </p>
     979         <p id="rfc.section.6.p.2">Everything about the topic of HTTP authentication is a security consideration, so the list of considerations below is not
     980            exhaustive. Furthermore, it is limited to security considerations regarding the authentication framework, in general, rather
     981            than discussing all of the potential considerations for specific authentication schemes (which ought to be documented in the
     982            specifications that define those schemes). Various organizations maintain topical information and links to current research
     983            on Web application security (e.g., <a href="#OWASP" id="rfc.xref.OWASP.1"><cite title="A Guide to Building Secure Web Applications and Web Services">[OWASP]</cite></a>), including common pitfalls for implementing and using the authentication schemes found in practice.
    981984         </p>
    982985         <div id="auth.credentials.and.idle.clients">
     
    10611064            <td class="reference"><b id="BCP90">[BCP90]</b></td>
    10621065            <td class="top"><a href="mailto:GK-IETF@ninebynine.org" title="Nine by Nine">Klyne, G.</a>, <a href="mailto:mnot@pobox.com" title="BEA Systems">Nottingham, M.</a>, and <a href="mailto:JeffMogul@acm.org" title="HP Labs">J. Mogul</a>, “<a href="http://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>”, BCP&nbsp;90, RFC&nbsp;3864, September&nbsp;2004.
     1066            </td>
     1067         </tr>
     1068         <tr>
     1069            <td class="reference"><b id="OWASP">[OWASP]</b></td>
     1070            <td class="top">van der Stock, A., Ed., “<a href="https://www.owasp.org/">A Guide to Building Secure Web Applications and Web Services</a>”, The Open Web Application Security Project (OWASP)&nbsp;2.0.1, July&nbsp;2005, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;.
    10631071            </td>
    10641072         </tr>
     
    11891197      </div>
    11901198      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
    1191       <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.W">W</a>
     1199      <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.O">O</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.W">W</a>
    11921200      </p>
    11931201      <div class="print2col">
     
    12261234               </ul>
    12271235            </li>
     1236            <li><a id="rfc.index.O" href="#rfc.index.O"><b>O</b></a><ul>
     1237                  <li><em>OWASP</em>&nbsp;&nbsp;<a href="#rfc.xref.OWASP.1">6</a>, <a href="#OWASP"><b>8.2</b></a></li>
     1238               </ul>
     1239            </li>
    12281240            <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
    12291241                  <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.1</a>, <a href="#rfc.xref.Part1.2">1.2</a>, <a href="#rfc.xref.Part1.3">2.2</a>, <a href="#rfc.xref.Part1.4">4.2</a>, <a href="#rfc.xref.Part1.5">4.4</a>, <a href="#rfc.xref.Part1.6">5.1.2</a>, <a href="#rfc.xref.Part1.7">6</a>, <a href="#rfc.xref.Part1.8">7</a>, <a href="#Part1"><b>8.1</b></a>, <a href="#rfc.xref.Part1.9">B</a>, <a href="#rfc.xref.Part1.10">B</a>, <a href="#rfc.xref.Part1.11">B</a>, <a href="#rfc.xref.Part1.12">B</a>, <a href="#rfc.xref.Part1.13">B</a>, <a href="#rfc.xref.Part1.14">C</a><ul>

  • draft-ietf-httpbis/latest/p7-auth.xml

    r2558 r2568  
    679679<t>
    680680   This section is meant to inform developers, information providers, and
    681    users of known security concerns specific to HTTP/1.1 authentication.
     681   users of known security concerns specific to HTTP authentication.
    682682   More general security considerations are addressed in HTTP messaging
    683683   &messaging; and semantics &semantics;.
    684684</t>
    685685<t>
    686    The list of considerations below is not exhaustive &mdash; security
    687    analysis in an ongoing activity. Various organizations, such as the
    688    "Open Web Application Security Project" (OWASP,
    689    <eref target="https://www.owasp.org/"/>), provide information about current
    690    research.
     686   Everything about the topic of HTTP authentication is a security
     687   consideration, so the list of considerations below is not exhaustive.
     688   Furthermore, it is limited to security considerations regarding the
     689   authentication framework, in general, rather than discussing all of the
     690   potential considerations for specific authentication schemes (which ought
     691   to be documented in the specifications that define those schemes).
     692   Various organizations maintain topical information and links to current
     693   research on Web application security (e.g., <xref target="OWASP"/>),
     694   including common pitfalls for implementing and using the authentication
     695   schemes found in practice.
    691696</t>
    692697
     
    10031008</reference>
    10041009
     1010<reference anchor="OWASP" target="https://www.owasp.org/">
     1011        <front>
     1012    <title abbrev="OWASP">A Guide to Building Secure Web Applications and Web Services</title>
     1013    <author role="editor" initials="A." surname="van der Stock"
     1014            fullname="Andrew van der Stock"/>
     1015    <date month="July" day="27" year="2005"/>
     1016  </front>
     1017  <seriesInfo name="The Open Web Application Security Project (OWASP)" value="2.0.1"/>
     1018</reference>
     1019
    10051020</references>
    10061021
Note: See TracChangeset for help on using the changeset viewer.