Changeset 279 for draft-ietf-httpbis-security-properties/latest

Timestamp:

14/07/08 06:23:58 (14 years ago)

Author:

julian.reschke@…

Message:

remove *.redxml from Subversion, remove SYSTEM identifier, rebuild HTML version

Location:

draft-ietf-httpbis-security-properties/latest

Files:

• . (modified) (1 prop)
• draft-ietf-httpbis-security-properties.html (modified) (1 diff)
• draft-ietf-httpbis-security-properties.redxml (deleted)
• draft-ietf-httpbis-security-properties.xml (modified) (1 diff)

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.html

@@ +1 @@
+<!DOCTYPE html
+  PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<html lang="en">
+   <head profile="http://www.w3.org/2006/03/hcard">
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+      <title>Security Requirements for HTTP</title><style type="text/css" title="Xml2Rfc (sans serif)">
+a {
+  text-decoration: none;
+}
+a.smpl {
+  color: black;
+}
+a:hover {
+  text-decoration: underline;
+}
+a:active {
+  text-decoration: underline;
+}
+address {
+  margin-top: 1em;
+  margin-left: 2em;
+  font-style: normal;
+}
+body {
+  color: black;
+  font-family: verdana, helvetica, arial, sans-serif;
+  font-size: 10pt;
+}
+cite {
+  font-style: normal;
+}
+dd {
+  margin-right: 2em;
+}
+dl {
+  margin-left: 2em;
+}
+
+dl.empty dd {
+  margin-top: .5em;
+}
+dl p {
+  margin-left: 0em;
+}
+dt {
+  margin-top: .5em;
+}
+h1 {
+  font-size: 14pt;
+  line-height: 21pt;
+  page-break-after: avoid;
+}
+h1.np {
+  page-break-before: always;
+}
+h1 a {
+  color: #333333;
+}
+h2 {
+  font-size: 12pt;
+  line-height: 15pt;
+  page-break-after: avoid;
+}
+h2 a {
+  color: black;
+}
+h3 {
+  font-size: 10pt;
+  page-break-after: avoid;
+}
+h3 a {
+  color: black;
+}
+h4 {
+  font-size: 10pt;
+  page-break-after: avoid;
+}
+h4 a {
+  color: black;
+}
+h5 {
+  font-size: 10pt;
+  page-break-after: avoid;
+}
+h5 a {
+  color: black;
+}
+img {
+  margin-left: 3em;
+}
+li {
+  margin-left: 2em;
+  margin-right: 2em;
+}
+ol {
+  margin-left: 2em;
+  margin-right: 2em;
+}
+ol p {
+  margin-left: 0em;
+}
+p {
+  margin-left: 2em;
+  margin-right: 2em;
+}
+pre {
+  margin-left: 3em;
+  background-color: lightyellow;
+  padding: .25em;
+}
+pre.text2 {
+  border-style: dotted;
+  border-width: 1px;
+  background-color: #f0f0f0;
+  width: 69em;
+}
+pre.inline {
+  background-color: white;
+  padding: 0em;
+}
+pre.text {
+  border-style: dotted;
+  border-width: 1px;
+  background-color: #f8f8f8;
+  width: 69em;
+}
+pre.drawing {
+  border-style: solid;
+  border-width: 1px;
+  background-color: #f8f8f8;
+  padding: 2em;
+}
+table {
+  margin-left: 2em;
+}
+table.header {
+  width: 95%;
+  font-size: 10pt;
+  color: white;
+}
+td.top {
+  vertical-align: top;
+}
+td.topnowrap {
+  vertical-align: top;
+  white-space: nowrap; 
+}
+td.header {
+  background-color: gray;
+  width: 50%;
+}
+td.reference {
+  vertical-align: top;
+  white-space: nowrap;
+  padding-right: 1em;
+}
+thead {
+  display:table-header-group;
+}
+ul.toc {
+  list-style: none;
+  margin-left: 1.5em;
+  margin-right: 0em;
+  padding-left: 0em;
+}
+li.tocline0 {
+  line-height: 150%;
+  font-weight: bold;
+  font-size: 10pt;
+  margin-left: 0em;
+  margin-right: 0em;
+}
+li.tocline1 {
+  line-height: normal;
+  font-weight: normal;
+  font-size: 9pt;
+  margin-left: 0em;
+  margin-right: 0em;
+}
+li.tocline2 {
+  font-size: 0pt;
+}
+ul p {
+  margin-left: 0em;
+}
+ul.ind {
+  list-style: none;
+  margin-left: 1.5em;
+  margin-right: 0em;
+  padding-left: 0em;
+}
+li.indline0 {
+  font-weight: bold;
+  line-height: 200%;
+  margin-left: 0em;
+  margin-right: 0em;
+}
+li.indline1 {
+  font-weight: normal;
+  line-height: 150%;
+  margin-left: 0em;
+  margin-right: 0em;
+}
+
+.comment {
+  background-color: yellow;
+}
+.center {
+  text-align: center;
+}
+.error {
+  color: red;
+  font-style: italic;
+  font-weight: bold;
+}
+.figure {
+  font-weight: bold;
+  text-align: center;
+  font-size: 9pt;
+}
+.filename {
+  color: #333333;
+  font-weight: bold;
+  font-size: 12pt;
+  line-height: 21pt;
+  text-align: center;
+}
+.fn {
+  font-weight: bold;
+}
+.hidden {
+  display: none;
+}
+.left {
+  text-align: left;
+}
+.right {
+  text-align: right;
+}
+.title {
+  color: #990000;
+  font-size: 18pt;
+  line-height: 18pt;
+  font-weight: bold;
+  text-align: center;
+  margin-top: 36pt;
+}
+.vcardline {
+  display: block;
+}
+.warning {
+  font-size: 14pt;
+  background-color: yellow;
+}
+
+
+@media print {
+  .noprint {
+    display: none;
+  }
+  
+  a {
+    color: black;
+    text-decoration: none;
+  }
+
+  table.header {
+    width: 90%;
+  }
+
+  td.header {
+    width: 50%;
+    color: black;
+    background-color: white;
+    vertical-align: top;
+    font-size: 12pt;
+  }
+
+  ul.toc a::after {
+    content: leader('.') target-counter(attr(href), page);
+  }
+  
+  a.iref {
+    content: target-counter(attr(href), page);
+  }
+  
+  .print2col {
+    column-count: 2;
+    -moz-column-count: 2;
+    column-fill: auto;
+  }
+}
+
+@page {
+  @top-left {
+       content: "INTERNET DRAFT"; 
+  } 
+  @top-right {
+       content: "July 2008"; 
+  } 
+  @top-center {
+       content: "Security Requirements for HTTP"; 
+  } 
+  @bottom-left {
+       content: "Hoffman & Melnikov"; 
+  } 
+  @bottom-center {
+       content: "Informational"; 
+  } 
+  @bottom-right {
+       content: "[Page " counter(page) "]"; 
+  } 
+}
+
+@page:first { 
+    @top-left {
+      content: normal;
+    }
+    @top-right {
+      content: normal;
+    }
+    @top-center {
+      content: normal;
+    }
+}
+</style><link rel="Author" href="#rfc.authors">
+      <link rel="Copyright" href="#rfc.copyright">
+      <link rel="Chapter" title="1 Introduction" href="#rfc.section.1">
+      <link rel="Chapter" title="2 Existing HTTP Security Mechanisms" href="#rfc.section.2">
+      <link rel="Chapter" title="3 Revisions To HTTP" href="#rfc.section.3">
+      <link rel="Chapter" title="4 Security Considerations" href="#rfc.section.4">
+      <link rel="Chapter" href="#rfc.section.5" title="5 Normative References">
+      <link rel="Appendix" title="A Acknowledgements" href="#rfc.section.A">
+      <link rel="Appendix" title="B Document History" href="#rfc.section.B">
+      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.379, 2008-07-06 13:38:32, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
+      <link rel="schema.DC" href="http://purl.org/dc/elements/1.1/">
+      <meta name="DC.Creator" content="Hoffman, P.">
+      <meta name="DC.Creator" content="Melnikov, A.">
+      <meta name="DC.Identifier" content="urn:ietf:id:draft-ietf-httpbis-security-properties-02">
+      <meta name="DC.Date.Issued" scheme="ISO8601" content="2008-07">
+      <meta name="DC.Description.Abstract" content="Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement security mechanisms, so that all conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes the trade-offs of each.">
+   </head>
+   <body>
+      <table summary="header information" class="header" border="0" cellpadding="1" cellspacing="1">
+         <tr>
+            <td class="header left">Network Working Group</td>
+            <td class="header right">P. Hoffman</td>
+         </tr>
+         <tr>
+            <td class="header left">Internet Draft</td>
+            <td class="header right">VPN Consortium</td>
+         </tr>
+         <tr>
+            <td class="header left">
+               &lt;draft-ietf-httpbis-security-properties-02&gt;
+               
+            </td>
+            <td class="header right">A. Melnikov</td>
+         </tr>
+         <tr>
+            <td class="header left">Intended status: Informational</td>
+            <td class="header right">Isode Ltd.</td>
+         </tr>
+         <tr>
+            <td class="header left">Expires: January 2009</td>
+            <td class="header right">July 14, 2008</td>
+         </tr>
+      </table>
+      <p class="title">Security Requirements for HTTP<br><span class="filename">draft-ietf-httpbis-security-properties-02</span></p>
+      <h1><a id="rfc.status" href="#rfc.status">Status of this Memo</a></h1>
+      <p>By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she
+         is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section
+         6 of BCP 79.
+      </p>
+      <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note
+         that other groups may also distribute working documents as Internet-Drafts.
+      </p>
+      <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other
+         documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work
+         in progress”.
+      </p>
+      <p>The list of current Internet-Drafts can be accessed at &lt;<a href="http://www.ietf.org/ietf/1id-abstracts.txt">http://www.ietf.org/ietf/1id-abstracts.txt</a>&gt;.
+      </p>
+      <p>The list of Internet-Draft Shadow Directories can be accessed at &lt;<a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>&gt;.
+      </p>
+      <p>This Internet-Draft will expire in January 2009.</p>
+      <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1> 
+      <p>Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement security mechanisms, so that all conformant
+         implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes
+         the trade-offs of each.
+      </p> 
+      <hr class="noprint">
+      <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;Introduction
+      </h1>
+      <p id="rfc.section.1.p.1">Recent IESG practice dictates that IETF protocols are required to specify mandatory to implement security mechanisms. "The
+         IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementers to provide strong security. RFC 3365 does not define
+         the term "strong security".
+      </p>
+      <p id="rfc.section.1.p.2">"Security Mechanisms for the Internet" <a href="#RFC3631"><cite title="Security Mechanisms for the Internet">[RFC3631]</cite></a> is not an IETF procedural RFC, but it is perhaps most relevant. Section 2.2 states:
+      </p>
+      <div id="rfc.figure.u.1"></div><pre>
+  We have evolved in the IETF the notion of "mandatory to implement"
+  mechanisms.  This philosophy evolves from our primary desire to
+  ensure interoperability between different implementations of a
+  protocol.  If a protocol offers many options for how to perform a
+  particular task, but fails to provide for at least one that all
+  must implement, it may be possible that multiple, non-interoperable
+  implementations may result.  This is the consequence of the
+  selection of non-overlapping mechanisms being deployed in the
+  different implementations.
+</pre><p id="rfc.section.1.p.4">This document examines the effects of applying security constraints to Web applications, documents the properties that result
+         from each method, and will make Best Current Practice recommendations for HTTP security in a later document version. At the
+         moment, it is mostly a laundry list of security technologies and tradeoffs.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.2" class="np"><a href="#rfc.section.2">2.</a>&nbsp;Existing HTTP Security Mechanisms
+      </h1>
+      <p id="rfc.section.2.p.1">For HTTP, the IETF generally defines "security mechanisms" as some combination of access authentication and/or a secure transport.</p>
+      <p id="rfc.section.2.p.2">[[ There is a suggestion that this section be split into "browser-like" and "automation-like" subsections. ]]</p>
+      <p id="rfc.section.2.p.3">[[ NTLM (shudder) was brought up in the WG a few times in the discussion of the -00 draft. Should we add a section on it?
+         ]]
+      </p>
+      <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;Forms And Cookies
+      </h2>
+      <p id="rfc.section.2.1.p.1">Almost all HTTP authentication that involves a human using a web browser is accomplished through HTML forms, with session
+         identifiers stored in cookies. For cookies, most implementations rely on the "Netscape specification", which is described
+         loosely in section 10 of "HTTP State Management Mechanism" <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. The protocol in RFC 2109 is relatively widely implemented, but most clients don't advertise support for it. RFC 2109 was
+         later updated <a href="#RFC2965"><cite title="HTTP State Management Mechanism">[RFC2965]</cite></a>, but the newer version is not widely implemented.
+      </p>
+      <p id="rfc.section.2.1.p.2">Forms and cookies have many properties that make them an excellent solution for some implementers. However, many of those
+         properties introduce serious security trade-offs.
+      </p>
+      <p id="rfc.section.2.1.p.3">HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases
+         user reliance on the appearance of the interface. Many users do not understand the construction of URIs <a href="#RFC3986"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, or their presentation in common clients <a href="#PhishingHOWTO"><cite title="Phishing Tips and Techniques">[PhishingHOWTO]</cite></a>. As a result, forms are extremely vulnerable to spoofing.
+      </p>
+      <p id="rfc.section.2.1.p.4">HTML forms provide acceptable internationalization if used carefully, at the cost of being transmitted as normal HTTP content
+         in all cases (credentials are not differentiated in the protocol).
+      </p>
+      <p id="rfc.section.2.1.p.5">Many Web browsers have an auto-complete feature that stores a user's information and pre-populates fields in forms. This is
+         considered to be a convenience mechanism, and convenience mechanisms often have negative security properties. The security
+         concerns with auto-completion are particularly poignant for web browsers that reside on computers with multiple users. HTML
+         forms provide a facility for sites to indicate that a field, such as a password, should never be pre-populated. However, it
+         is clear that some form creators do not use this facility when they should.
+      </p>
+      <p id="rfc.section.2.1.p.6">The cookies that result from a successful form submission make it unnecessary to validate credentials with each HTTP request;
+         this makes cookies an excellent property for scalability. Cookies are susceptible to a large variety of XSS (cross-site scripting)
+         attacks, and measures to prevent such attacks will never be as stringent as necessary for authentication credentials because
+         cookies are used for many purposes. Cookies are also susceptible to a wide variety of attacks from malicious intermediaries
+         and observers. The possible attacks depend on the contents of the cookie data. There is no standard format for most of the
+         data.
+      </p>
+      <p id="rfc.section.2.1.p.7">HTML forms and cookies provide flexible ways of ending a session from the client.</p>
+      <p id="rfc.section.2.1.p.8">HTML forms require an HTML rendering engine for which many protocols have no use.</p>
+      <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;HTTP Access Authentication
+      </h2>
+      <p id="rfc.section.2.2.p.1">HTTP 1.1 provides a simple authentication framework, "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, which defines two optional mechanisms. Both of these mechanisms are extremely rarely used in comparison to forms and cookies,
+         but some degree of support for one or both is available in many implementations. Neither scheme provides presentation control,
+         logout capabilities, or interoperable internationalization.
+      </p>
+      <h3 id="rfc.section.2.2.1"><a href="#rfc.section.2.2.1">2.2.1</a>&nbsp;Basic Authentication
+      </h3>
+      <p id="rfc.section.2.2.1.p.1">Basic Authentication (normally called just "Basic") transmits usernames and passwords in the clear. It is very easy to implement,
+         but not at all secure unless used over a secure transport.
+      </p>
+      <p id="rfc.section.2.2.1.p.2">Basic has very poor scalability properties because credentials must be revalidated with every request, and because secure
+         transports negate many of HTTP's caching mechanisms. Some implementations use cookies in combination with Basic credentials,
+         but there is no standard method of doing so.
+      </p>
+      <p id="rfc.section.2.2.1.p.3">Since Basic credentials are clear text, they are reusable by any party. This makes them compatible with any authentication
+         database, at the cost of making the user vulnerable to mismanaged or malicious servers, even over a secure channel.
+      </p>
+      <p id="rfc.section.2.2.1.p.4">Basic is not interoperable when used with credentials that contain characters outside of the ISO 8859-1 repertoire.</p>
+      <h3 id="rfc.section.2.2.2"><a href="#rfc.section.2.2.2">2.2.2</a>&nbsp;Digest Authentication
+      </h3>
+      <p id="rfc.section.2.2.2.p.1">In Digest Authentication, the client transmits the results of hashing user credentials with properties of the request and
+         values from the server challenge. Digest is susceptible to man-in-the-middle attacks when not used over a secure transport.
+      </p>
+      <p id="rfc.section.2.2.2.p.2">Digest has some properties that are preferable to Basic and Cookies. Credentials are not immediately reusable by parties that
+         observe or receive them, and session data can be transmitted along side credentials with each request, allowing servers to
+         validate credentials only when absolutely necessary. Authentication data session keys are distinct from other protocol traffic.
+      </p>
+      <p id="rfc.section.2.2.2.p.3">Digest includes many modes of operation, but only the simplest modes enjoy any degree of interoperability. For example, most
+         implementations do not implement the mode that provides full message integrity. Perhaps one reason is that implementation
+         experience has shown that in some cases, especially those involving large requests or responses such as streams, the message
+         integrity mode is impractical because it requires servers to analyze the full request before determining whether the client
+         knows the shared secret or whether message-body integrity has been violated and hence whether the request can be processed.
+      </p>
+      <p id="rfc.section.2.2.2.p.4">Digest is extremely susceptible to offline dictionary attacks, making it practical for attackers to perform a namespace walk
+         consisting of a few million passwords for most users.
+      </p>
+      <p id="rfc.section.2.2.2.p.5">Many of the most widely-deployed HTTP/1.1 clients are not compliant when GET requests include a query string <a href="#Apache_Digest"><cite title="Apache HTTP Server - mod_auth_digest">[Apache_Digest]</cite></a>.
+      </p>
+      <p id="rfc.section.2.2.2.p.6">Digest either requires that authentication databases be expressly designed to accommodate it, or requires access to cleartext
+         passwords. As a result, many authentication databases that chose to do the former are incompatible, including the most common
+         method of storing passwords for use with Forms and Cookies.
+      </p>
+      <p id="rfc.section.2.2.2.p.7">Many Digest capabilities included to prevent replay attacks expose the server to Denial of Service attacks.</p>
+      <p id="rfc.section.2.2.2.p.8">Digest is not interoperable when used with credentials that contain characters outside of the ISO 8859-1 repertoire.</p>
+      <h3 id="rfc.section.2.2.3"><a href="#rfc.section.2.2.3">2.2.3</a>&nbsp;Authentication Using Certificates in TLS
+      </h3>
+      <p id="rfc.section.2.2.3.p.1">Running HTTP over TLS provides authentication of the HTTP server to the client. HTTP over TLS can also provides authentication
+         of the client to the server using certificates. Although forms are a much more common way to authenticate users to HTTP servers,
+         TLS client certificates are widely used in some environments. The public key infrastructure (PKI) used to validate certificates
+         in TLS can be rooted in public trust anchors or can be based on local trust anchors.
+      </p>
+      <h3 id="rfc.section.2.2.4"><a href="#rfc.section.2.2.4">2.2.4</a>&nbsp;Other Access Authentication Schemes
+      </h3>
+      <p id="rfc.section.2.2.4.p.1">There are many niche schemes that make use of the HTTP Authentication framework, but very few are well documented. Some are
+         bound to transport layer connections.
+      </p>
+      <h4 id="rfc.section.2.2.4.1"><a href="#rfc.section.2.2.4.1">2.2.4.1</a>&nbsp;Negotiate (GSS-API) Authentication
+      </h4>
+      <p id="rfc.section.2.2.4.1.p.1">Microsoft has designed an HTTP authentication mechanism that utilizes SPNEGO <a href="#RFC4178"><cite title="The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism">[RFC4178]</cite></a> GSSAPI <a href="#RFC4559"><cite title="SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows">[RFC4559]</cite></a>. In Microsoft's implementation, SPNEGO allows selection between Kerberos and NTLM (Microsoft NT Lan Manager protocols).
+      </p>
+      <p id="rfc.section.2.2.4.1.p.2">In Kerberos, clients and servers rely on a trusted third-party authentication service which maintains its own authentication
+         database. Kerberos is typically used with shared secret key cryptography, but extensions for use of other authentication mechnanisms
+         such as PKIX certificates and two-factor tokens are also common. Kerberos was designed to work under the assumption that packets
+         traveling along the network can be read, modified, and inserted at will.
+      </p>
+      <p id="rfc.section.2.2.4.1.p.3">Unlike Digest, Negotiate authentication can take multiple round trips (client sending authentication data in Authorization,
+         server sending authentication data in WWW-Authenticate) to complete.
+      </p>
+      <p id="rfc.section.2.2.4.1.p.4">Kerberos authentication is generally more secure than Digest. However the requirement for having a separate network authentication
+         service might be a barrier to deployment.
+      </p>
+      <h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;Centrally-Issued Tickets
+      </h2>
+      <p id="rfc.section.2.3.p.1">Many large Internet services rely on authentication schemes that center on clients consulting a single service for a time-limited
+         ticket that is validated with undocumented heuristics. Centralized ticket issuing has the advantage that users may employ
+         one set of credentials for many services, and clients don't send credentials to many servers. This approach is often no more
+         than a sophisticated application of forms and cookies.
+      </p>
+      <p id="rfc.section.2.3.p.2">All of the schemes in wide use are proprietary and non-standard, and usually are undocumented. There are many standardization
+         efforts in progress, as usual.
+      </p>
+      <h2 id="rfc.section.2.4"><a href="#rfc.section.2.4">2.4</a>&nbsp;Web Services
+      </h2>
+      <p id="rfc.section.2.4.p.1">Many security properties mentioned in this document have been recast in XML-based protocols, using HTTP as a substitute for
+         TCP. Like the amalgam of HTTP technologies mentioned above, the XML-based protocols are defined by an ever-changing combination
+         of standard and vendor-produced specifications, some of which may be obsoleted at any time <a href="#WS-Pagecount"><cite title="WS-Pagecount">[WS-Pagecount]</cite></a> without any documented change control procedures. These protocols usually don't have much in common with the Architecture
+         of the World Wide Web. It's not clear why the term "Web" is used to group them, but they are obviously out of scope for HTTP-based
+         application protocols.
+      </p>
+      <p id="rfc.section.2.4.p.2">[[ This section could really use a good definition of "Web Services" to differentiate it from REST. ]]</p>
+      <h2 id="rfc.section.2.5"><a href="#rfc.section.2.5">2.5</a>&nbsp;Transport Layer Security
+      </h2>
+      <p id="rfc.section.2.5.p.1">In addition to using TLS for client and/or server authentication, it is also very commonly used to protect the confidentiality
+         and integrity of the HTTP session. For instance, both HTTP Basic authentication and Cookies are often protected against snooping
+         by TLS.
+      </p>
+      <p id="rfc.section.2.5.p.2">It should be noted that, in that case, TLS does not protect against a breach of the credential store at the server or against
+         a keylogger or phishing interface at the client. TLS does not change the fact that Basic Authentication passwords are reusable
+         and does not address that weakness.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.3" class="np"><a href="#rfc.section.3">3.</a>&nbsp;Revisions To HTTP
+      </h1>
+      <p id="rfc.section.3.p.1">Is is possible that HTTP will be revised in the future. "HTTP/1.1" <a href="#RFC2616"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a> and "Use and Interpretation of HTTP Version Numbers" <a href="#RFC2145"><cite title="Use and Interpretation of HTTP Version Numbers">[RFC2145]</cite></a> define conformance requirements in relation to version numbers. In HTTP 1.1, all authentication mechanisms are optional, and
+         no single transport substrate is specified. Any HTTP revision that adds a mandatory security mechanism or transport substrate
+         will have to increment the HTTP version number appropriately. All widely used schemes are non-standard and/or proprietary.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.4" class="np"><a href="#rfc.section.4">4.</a>&nbsp;Security Considerations
+      </h1>
+      <p id="rfc.section.4.p.1">This entire document is about security considerations.</p>
+      <h1 class="np" id="rfc.references"><a href="#rfc.section.5" id="rfc.section.5">5.</a> Normative References
+      </h1>
+      <table summary="Normative References"> 
+         <tr>
+            <td class="reference"><b id="RFC2026">[RFC2026]</b></td>
+            <td class="top"><a href="mailto:sob@harvard.edu" title="Harvard University">Bradner, S.</a>, “<a href="http://tools.ietf.org/html/rfc2026">The Internet Standards Process -- Revision 3</a>”, BCP&nbsp;9, RFC&nbsp;2026, October&nbsp;1996.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC2109">[RFC2109]</b></td>
+            <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D.M.</a> and <a href="mailto:montulli@netscape.com" title="Netscape Communications Corp.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2109">HTTP State Management Mechanism</a>”, RFC&nbsp;2109, February&nbsp;1997.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC2145">[RFC2145]</b></td>
+            <td class="top"><a href="mailto:mogul@wrl.dec.com" title="Western Research Laboratory">Mogul, J.C.</a>, <a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.T.</a>, <a href="mailto:jg@w3.org" title="MIT Laboratory for Computer Science">Gettys, J.</a>, and <a href="mailto:frystyk@w3.org" title="W3 Consortium">H.F. Nielsen</a>, “<a href="http://tools.ietf.org/html/rfc2145">Use and Interpretation of HTTP Version Numbers</a>”, RFC&nbsp;2145, May&nbsp;1997.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC2616">[RFC2616]</b></td>
+            <td class="top"><a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="World Wide Web Consortium">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="World Wide Web Consortium">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">T. Berners-Lee</a>, “<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC&nbsp;2616, June&nbsp;1999.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC2617">[RFC2617]</b></td>
+            <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.M.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.L.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.D.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.J.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC2965">[RFC2965]</b></td>
+            <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D. M.</a> and <a href="mailto:lou@montulli.org" title="Epinions.com, Inc.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2965">HTTP State Management Mechanism</a>”, RFC&nbsp;2965, October&nbsp;2000.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC3365">[RFC3365]</b></td>
+            <td class="top">Schiller, J., “<a href="http://tools.ietf.org/html/rfc3365">Strong Security Requirements for Internet Engineering Task Force Standard Protocols</a>”, BCP&nbsp;61, RFC&nbsp;3365, August&nbsp;2002.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC3631">[RFC3631]</b></td>
+            <td class="top">Bellovin, S., Schiller, J., and C. Kaufman, “<a href="http://tools.ietf.org/html/rfc3631">Security Mechanisms for the Internet</a>”, RFC&nbsp;3631, December&nbsp;2003.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC3986">[RFC3986]</b></td>
+            <td class="top"><a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R.</a>, and <a href="mailto:LMM@acm.org" title="Adobe Systems Incorporated">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC4178">[RFC4178]</b></td>
+            <td class="top">Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, “<a href="http://tools.ietf.org/html/rfc4178">The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism</a>”, RFC&nbsp;4178, October&nbsp;2005.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="RFC4559">[RFC4559]</b></td>
+            <td class="top">Jaganathan, K., Zhu, L., and J. Brezak, “<a href="http://tools.ietf.org/html/rfc4559">SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows</a>”, RFC&nbsp;4559, June&nbsp;2006.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="Apache_Digest">[Apache_Digest]</b></td>
+            <td class="top">Apache Software Foundation, , “<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">Apache HTTP Server - mod_auth_digest</a>”, &lt;<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html</a>&gt;.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="PhishingHOWTO">[PhishingHOWTO]</b></td>
+            <td class="top">Gutmann, P., “<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">Phishing Tips and Techniques</a>”, February&nbsp;2008, &lt;<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf</a>&gt;.
+            </td>
+         </tr>  
+         <tr>
+            <td class="reference"><b id="WS-Pagecount">[WS-Pagecount]</b></td>
+            <td class="top">Bray, T., “<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">WS-Pagecount</a>”, September&nbsp;2004, &lt;<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research</a>&gt;.
+            </td>
+         </tr> 
+      </table>
+      <hr class="noprint">
+      <h1 id="rfc.authors" class="np"><a href="#rfc.authors">Authors' Addresses</a></h1>
+      <address class="vcard"><span class="vcardline"><span class="fn">Paul Hoffman</span><span class="n hidden"><span class="family-name">Hoffman</span><span class="given-name">Paul</span></span></span><span class="org vcardline">VPN Consortium</span><span class="vcardline">EMail: <a href="mailto:paul.hoffman@vpnc.org"><span class="email">paul.hoffman@vpnc.org</span></a></span></address>
+      <address class="vcard"><span class="vcardline"><span class="fn">Alexey Melnikov</span><span class="n hidden"><span class="family-name">Melnikov</span><span class="given-name">Alexey</span></span></span><span class="org vcardline">Isode Ltd.</span><span class="vcardline">EMail: <a href="mailto:alexey.melnikov@isode.com"><span class="email">alexey.melnikov@isode.com</span></a></span></address>
+      <hr class="noprint">
+      <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;Acknowledgements
+      </h1>
+      <p id="rfc.section.A.p.1">Much of the material in this document was written by Rob Sayre, who first promoted the topic. Many others on the HTTPbis Working
+         Group have contributed to this document in the discussion.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.B" class="np"><a href="#rfc.section.B">B.</a>&nbsp;Document History
+      </h1>
+      <p id="rfc.section.B.p.1">[This entire section is to be removed when published as an RFC.]</p>
+      <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and   draft-ietf-httpbis-security-properties-00
+      </h2>
+      <p id="rfc.section.B.1.p.1">Changed the authors to Paul Hoffman and Alexey Melnikov, with permission of Rob Sayre.</p>
+      <p id="rfc.section.B.1.p.2">Made lots of minor editorial changes.</p>
+      <p id="rfc.section.B.1.p.3">Removed what was section 2 (Requirements Notation), the reference to RFC 2119, and any use of 2119ish all-caps words.</p>
+      <p id="rfc.section.B.1.p.4">In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1 repertoire" to match the definition of "TEXT" in RFC 2616.</p>
+      <p id="rfc.section.B.1.p.5">Added minor text to the Security Considerations section.</p>
+      <p id="rfc.section.B.1.p.6">Added URLs to the two non-RFC references.</p>
+      <h2 id="rfc.section.B.2"><a href="#rfc.section.B.2">B.2</a>&nbsp;Changes between -00 and -01
+      </h2>
+      <p id="rfc.section.B.2.p.1">Fixed some editorial nits reported by Iain Calder.</p>
+      <p id="rfc.section.B.2.p.2">Added the suggestions about splitting for browsers and automation, and about adding NTLM, to be beginning of 2.</p>
+      <p id="rfc.section.B.2.p.3">In 2.1, added "that involves a human using a web browser" in the first sentence.</p>
+      <p id="rfc.section.B.2.p.4">In 2.1, changed "session key" to "session identifier".</p>
+      <p id="rfc.section.B.2.p.5">In 2.2.2, changed </p>
+      <div id="rfc.figure.u.2"></div><pre>
+Digest includes many modes of operation, but only the simplest modes
+enjoy any degree of interoperability.  For example, most
+implementations do not implement the mode that provides full message
+integrity.  Additionally, implementation experience has shown that
+the message integrity mode is impractical because it requires servers
+to analyze the full request before determining whether the client
+knows the shared secret.
+</pre><p> to </p>
+      <div id="rfc.figure.u.3"></div><pre>
+Digest includes many modes of operation, but only the simplest
+modes enjoy any degree of interoperability.  For example, most
+implementations do not implement the mode that provides full message
+integrity.  Perhaps one reason is that implementation experience has
+shown that in some cases, especially those involving large requests
+or responses such as streams, the message integrity mode is
+impractical because it requires servers to analyze the full request
+before determining whether the client knows the shared secret or
+whether message-body integrity has been violated and hence whether
+the request can be processed.
+</pre><p id="rfc.section.B.2.p.6">In 2.4, asked for a definition of "Web Services".</p>
+      <p id="rfc.section.B.2.p.7">In A, added the WG.</p>
+      <h2 id="rfc.section.B.3"><a href="#rfc.section.B.3">B.3</a>&nbsp;Changes between -01 and -02
+      </h2>
+      <p id="rfc.section.B.3.p.1">In section 2.1, added more to the paragraph on auto-completion of HTML forms.</p>
+      <p id="rfc.section.B.3.p.2">Added the section on TLS for authentication.</p>
+      <p id="rfc.section.B.3.p.3">Filled in section 2.5.</p>
+      <h1><a id="rfc.copyright" href="#rfc.copyright">Full Copyright Statement</a></h1>
+      <p>This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the
+         authors retain all their rights.
+      </p>
+      <p>This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION
+         HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE
+         DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+         WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+      </p>
+      <hr class="noprint">
+      <h1 class="np"><a id="rfc.ipr" href="#rfc.ipr">Intellectual Property</a></h1>
+      <p>The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might
+         be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any
+         license under such rights might or might not be available; nor does it represent that it has made any independent effort to
+         identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and
+         BCP 79.
+      </p>
+      <p>Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result
+         of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users
+         of this specification can be obtained from the IETF on-line IPR repository at &lt;<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>&gt;.
+      </p>
+      <p>The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary
+         rights that may cover technology that may be required to implement this standard. Please address the information to the IETF
+         at <a href="mailto:ietf-ipr@ietf.org">ietf-ipr@ietf.org</a>.
+      </p>
+   </body>
+</html>

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
+<!DOCTYPE rfc [
 <!ENTITY rfc2026 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2026.xml">
 <!ENTITY rfc2109 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2109.xml">