Context Navigation

← Previous Change
Next Change →

draft-ietf-httpbis-security-properties.txt

Timestamp:

09/03/09 11:13:57 (14 years ago)

Author:

julian.reschke@…

Message:

update boilerplate and Makefile

File:

: 1 edited

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.txt (modified) (20 diffs)

Legend:

: Unmodified
: Added
: Removed

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.txt

-                      r220
+                      r549
 Internet-Draft                                            VPN Consortium
 Intended status: Informational                               A. Melnikov
 Expires: August 25, 2008                                      Isode Ltd.
                                                        February 22, 2008
+Expires: January 2, 2009                                      Isode Ltd.
+                                                               July 2008
                      Security Requirements for HTTP
                draft-ietf-httpbis-security-properties-01
+             draft-ietf-httpbis-security-properties-latest
 Status of this Memo
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.  This document may contain material
+   from IETF Documents or IETF Contributions published or made publicly
+   available before November 10, 2008.  The person(s) controlling the
+   copyright in some of this material may not have granted the IETF
+   Trust the right to allow modifications of such material outside the
+   IETF Standards Process.  Without obtaining an adequate license from
+   the person(s) controlling the copyright in such materials, this
+   document may not be modified outside the IETF Standards Process, and
+   derivative works of it may not be created outside the IETF Standards
+   Process, except to format it for publication as an RFC or to
+   translate it into languages other than English.
    Internet-Drafts are working documents of the Internet Engineering
 …
    http://www.ietf.org/shadow.html.
    This Internet-Draft will expire on August 25, 2008.
+   This Internet-Draft will expire on January 2, 2009.
 Copyright Notice
+   Copyright (C) The IETF Trust (2008).
+   Copyright (c) 2008 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+Hoffman & Melnikov       Expires January 2, 2009                [Page 1]
+Internet-Draft       Security Requirements for HTTP            July 2008
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 Abstract
 …
-Hoffman & Melnikov       Expires August 25, 2008                [Page 1]
-Internet-Draft       Security Requirements for HTTP        February 2008
 Table of Contents
 …
 .  Existing HTTP Security Mechanisms  . . . . . . . . . . . . . .  3
 .1.  Forms And Cookies  . . . . . . . . . . . . . . . . . . . .  3
 .2.  HTTP Access Authentication . . . . . . . . . . . . . . . .  4
+.2.  HTTP Access Authentication . . . . . . . . . . . . . . . .  5
 .2.1.  Basic Authentication . . . . . . . . . . . . . . . . .  5
 .2.2.  Digest Authentication  . . . . . . . . . . . . . . . .  5
+.2.3.  Other Access Authentication Schemes  . . . . . . . . .  6
+.3.  Centrally-Issued Tickets . . . . . . . . . . . . . . . . .  6
+.4.  Web Services . . . . . . . . . . . . . . . . . . . . . . .  6
+.5.  Transport Layer Security . . . . . . . . . . . . . . . . .  7
+.  Revisions To HTTP  . . . . . . . . . . . . . . . . . . . . . .  7
+.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
+.  Normative References . . . . . . . . . . . . . . . . . . . . .  7
+   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . .  8
+   Appendix B.  Document History  . . . . . . . . . . . . . . . . . .  9
+.2.3.  Authentication Using Certificates in TLS . . . . . . .  6
+.2.4.  Other Access Authentication Schemes  . . . . . . . . .  6
+.3.  Centrally-Issued Tickets . . . . . . . . . . . . . . . . .  7
+.4.  Web Services . . . . . . . . . . . . . . . . . . . . . . .  7
+.5.  Transport Layer Security . . . . . . . . . . . . . . . . .  8
+.  Revisions To HTTP  . . . . . . . . . . . . . . . . . . . . . .  8
+.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
+.  Normative References . . . . . . . . . . . . . . . . . . . . .  8
+   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . .  9
+   Appendix B.  Document History  . . . . . . . . . . . . . . . . . . 10
      B.1.  Changes between draft-sayre-http-security-variance-00
+           and   draft-ietf-httpbis-security-properties-00  . . . . .  9
+     B.2.  Changes between -00 and -01  . . . . . . . . . . . . . . .  9
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+   Intellectual Property and Copyright Statements . . . . . . . . . . 11
+Hoffman & Melnikov       Expires August 25, 2008                [Page 2]
+Internet-Draft       Security Requirements for HTTP        February 2008
+           and   draft-ietf-httpbis-security-properties-00  . . . . . 10
+     B.2.  Changes between -00 and -01  . . . . . . . . . . . . . . . 10
+     B.3.  Changes between -01 and -02  . . . . . . . . . . . . . . . 11
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
+Hoffman & Melnikov       Expires January 2, 2009                [Page 2]
+Internet-Draft       Security Requirements for HTTP            July 2008
 …
 Hoffman & Melnikov       Expires August 25, 2008                [Page 3]
 Internet-Draft       Security Requirements for HTTP        February 2008
+Hoffman & Melnikov       Expires January 2, 2009                [Page 3]
+Internet-Draft       Security Requirements for HTTP            July 2008
 …
    (credentials are not differentiated in the protocol).
+   HTML forms provide a facility for sites to indicate that a password
+   should never be pre-populated. [[ More needed here on autocomplete ]]
+   Many Web browsers have an auto-complete feature that stores a user's
+   information and pre-populates fields in forms.  This is considered to
+   be a convenience mechanism, and convenience mechanisms often have
+   negative security properties.  The security concerns with auto-
+   completion are particularly poignant for web browsers that reside on
+   computers with multiple users.  HTML forms provide a facility for
+   sites to indicate that a field, such as a password, should never be
+   pre-populated.  However, it is clear that some form creators do not
+   use this facility when they should.
    The cookies that result from a successful form submission make it
 …
    have no use.
+Hoffman & Melnikov       Expires January 2, 2009                [Page 4]
+Internet-Draft       Security Requirements for HTTP            July 2008
 .2.  HTTP Access Authentication
 …
    degree of support for one or both is available in many
    implementations.  Neither scheme provides presentation control,
-Hoffman & Melnikov       Expires August 25, 2008                [Page 4]
-Internet-Draft       Security Requirements for HTTP        February 2008
    logout capabilities, or interoperable internationalization.
 …
    implementations do not implement the mode that provides full message
    integrity.  Perhaps one reason is that implementation experience has
+Hoffman & Melnikov       Expires January 2, 2009                [Page 5]
+Internet-Draft       Security Requirements for HTTP            July 2008
    shown that in some cases, especially those involving large requests
    or responses such as streams, the message integrity mode is
 …
    Digest is extremely susceptible to offline dictionary attacks, making
-Hoffman & Melnikov       Expires August 25, 2008                [Page 5]
-Internet-Draft       Security Requirements for HTTP        February 2008
    it practical for attackers to perform a namespace walk consisting of
    a few million passwords [[ CITATION NEEDED ]].
+   a few million passwords for most users.
    Many of the most widely-deployed HTTP/1.1 clients are not compliant
 …
    characters outside of the ISO 8859-1 repertoire.
+.2.3.  Other Access Authentication Schemes
+.2.3.  Authentication Using Certificates in TLS
+   Running HTTP over TLS provides authentication of the HTTP server to
+   the client.  HTTP over TLS can also provides authentication of the
+   client to the server using certificates.  Although forms are a much
+   more common way to authenticate users to HTTP servers, TLS client
+   certificates are widely used in some environments.  The public key
+   infrastructure (PKI) used to validate certificates in TLS can be
+   rooted in public trust anchors or can be based on local trust
+   anchors.
+.2.4.  Other Access Authentication Schemes
    There are many niche schemes that make use of the HTTP Authentication
 …
    transport layer connections.
+.2.3.1.  Negotiate (GSS-API) Authentication
+   [[ A discussion about "SPNEGO-based Kerberos and NTLM HTTP
+   Authentication in Microsoft Windows" [RFC4559] goes here. ]]
+.2.4.1.  Negotiate (GSS-API) Authentication
+   Microsoft has designed an HTTP authentication mechanism that utilizes
+   SPNEGO [RFC4178] GSSAPI [RFC4559].  In Microsoft's implementation,
+   SPNEGO allows selection between Kerberos and NTLM (Microsoft NT Lan
+Hoffman & Melnikov       Expires January 2, 2009                [Page 6]
+Internet-Draft       Security Requirements for HTTP            July 2008
+   Manager protocols).
+   In Kerberos, clients and servers rely on a trusted third-party
+   authentication service which maintains its own authentication
+   database.  Kerberos is typically used with shared secret key
+   cryptography, but extensions for use of other authentication
+   mechnanisms such as PKIX certificates and two-factor tokens are also
+   common.  Kerberos was designed to work under the assumption that
+   packets traveling along the network can be read, modified, and
+   inserted at will.
+   Unlike Digest, Negotiate authentication can take multiple round trips
+   (client sending authentication data in Authorization, server sending
+   authentication data in WWW-Authenticate) to complete.
+   Kerberos authentication is generally more secure than Digest.
+   However the requirement for having a separate network authentication
+   service might be a barrier to deployment.
 .3.  Centrally-Issued Tickets
 …
    in XML-based protocols, using HTTP as a substitute for TCP.  Like the
    amalgam of HTTP technologies mentioned above, the XML-based protocols
-Hoffman & Melnikov       Expires August 25, 2008                [Page 6]
-Internet-Draft       Security Requirements for HTTP        February 2008
    are defined by an ever-changing combination of standard and vendor-
    produced specifications, some of which may be obsoleted at any time
 …
    to differentiate it from REST. ]]
+Hoffman & Melnikov       Expires January 2, 2009                [Page 7]
+Internet-Draft       Security Requirements for HTTP            July 2008
 .5.  Transport Layer Security
+   [[ A discussion of HTTP over TLS needs to be added here. ]]
+   [[ Discussion of connection confidentiality should be separate from
+   the discussion of access authentication based on mutual
+   authentication with certificates in TLS. ]]
+   In addition to using TLS for client and/or server authentication, it
+   is also very commonly used to protect the confidentiality and
+   integrity of the HTTP session.  For instance, both HTTP Basic
+   authentication and Cookies are often protected against snooping by
+   TLS.
+   It should be noted that, in that case, TLS does not protect against a
+   breach of the credential store at the server or against a keylogger
+   or phishing interface at the client.  TLS does not change the fact
+   that Basic Authentication passwords are reusable and does not address
+   that weakness.
 …
               <http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf>.
-Hoffman & Melnikov       Expires August 25, 2008                [Page 7]
-Internet-Draft       Security Requirements for HTTP        February 2008
    [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
 ", BCP 9, RFC 2026, October 1996.
    [RFC2109]  Kristol, D. and L. Montulli, "HTTP State Management
+Hoffman & Melnikov       Expires January 2, 2009                [Page 8]
+Internet-Draft       Security Requirements for HTTP            July 2008
               Mechanism", RFC 2109, February 1997.
 …
               RFC 3986, January 2005.
+   [RFC4178]  Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
+              Simple and Protected Generic Security Service Application
+              Program Interface (GSS-API) Negotiation Mechanism",
+              RFC 4178, October 2005.
    [RFC4559]  Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
               Kerberos and NTLM HTTP Authentication in Microsoft
 …
+Hoffman & Melnikov       Expires August 25, 2008                [Page 8]
+Internet-Draft       Security Requirements for HTTP        February 2008
+Hoffman & Melnikov       Expires January 2, 2009                [Page 9]
+Internet-Draft       Security Requirements for HTTP            July 2008
 …
 Hoffman & Melnikov       Expires August 25, 2008                [Page 9]
 Internet-Draft       Security Requirements for HTTP        February 2008
+Hoffman & Melnikov       Expires January 2, 2009               [Page 10]
+Internet-Draft       Security Requirements for HTTP            July 2008
 …
    In A, added the WG.
+B.3.  Changes between -01 and -02
+   In section 2.1, added more to the paragraph on auto-completion of
+   HTML forms.
+   Added the section on TLS for authentication.
+   Filled in section 2.5.
 Authors' Addresses
 …
+Hoffman & Melnikov       Expires August 25, 2008               [Page 10]
+Internet-Draft       Security Requirements for HTTP        February 2008
+Full Copyright Statement
+   Copyright (C) The IETF Trust (2008).
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+Intellectual Property
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+Acknowledgment
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+Hoffman & Melnikov       Expires August 25, 2008               [Page 11]
+Hoffman & Melnikov       Expires January 2, 2009               [Page 11]

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 549 for draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.txt

Legend:

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.txt

Download in other formats: