Context Navigation

← Previous Change
Next Change →

Changeset 787 for draft-ietf-httpbis-security-properties/latest

Timestamp:

Mar 11, 2010, 2:48:42 AM (10 years ago)

Author:

julian.reschke@…

Message:

update to what was submitted as draft 04

Location:

draft-ietf-httpbis-security-properties/latest

Files:

: 3 edited

draft-ietf-httpbis-security-properties.html (modified) (20 diffs)
draft-ietf-httpbis-security-properties.txt (modified) (26 diffs)
draft-ietf-httpbis-security-properties.xml (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.html

-                      r551
+                      r787
   PUBLIC "-//W3C//DTD HTML 4.01//EN">
 <html lang="en">
    <head profile="http://www.w3.org/2006/03/hcard">
+   <head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
       <title>Security Requirements for HTTP</title><style type="text/css" title="Xml2Rfc (sans serif)">
 …
+}
+dl.empty dd {
+ul.empty {
+  list-style-type: none;
+}
+ul.empty li {
   margin-top: .5em;
+}
 …
+}
 table.header {
+  border-spacing: 1px;
   width: 95%;
   font-size: 10pt;
 …
   white-space: nowrap;
+}
 td.header {
+table.header td {
   background-color: gray;
   width: 50%;
 …
 @page {
   @top-left {
        content: "INTERNET DRAFT";
+       content: "Internet-Draft";
+  }
   @top-right {
 …
+  }
   @bottom-left {
        content: "Hoffman & Melnikov";
+       content: "Hodges & Leiba";
+  }
   @bottom-center {
 …
+}
 </style><link rel="Author" href="#rfc.authors">
       <link rel="Copyright" href="#rfc.copyright">
+      <link rel="Copyright" href="#rfc.copyrightnotice">
       <link rel="Chapter" title="1 Introduction" href="#rfc.section.1">
       <link rel="Chapter" title="2 Existing HTTP Security Mechanisms" href="#rfc.section.2">
       <link rel="Chapter" title="3 Revisions To HTTP" href="#rfc.section.3">
+      <link rel="Chapter" title="4 Security Considerations" href="#rfc.section.4">
+      <link rel="Chapter" href="#rfc.section.5" title="5 Normative References">
+      <link rel="Chapter" title="4 IANA Considerations" href="#rfc.section.4">
+      <link rel="Chapter" title="5 Security Considerations" href="#rfc.section.5">
+      <link rel="Chapter" href="#rfc.section.6" title="6 References">
       <link rel="Appendix" title="A Acknowledgements" href="#rfc.section.A">
       <link rel="Appendix" title="B Document History" href="#rfc.section.B">
+      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.426, 2009-03-07 10:31:10, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
+      <link rel="schema.DC" href="http://purl.org/dc/elements/1.1/">
+      <meta name="DC.Creator" content="Hoffman, P.">
+      <meta name="DC.Creator" content="Melnikov, A.">
+      <meta name="DC.Identifier" content="urn:ietf:id:draft-ietf-httpbis-security-properties-latest">
+      <meta name="DC.Date.Issued" scheme="ISO8601" content="2009-03">
+      <meta name="DC.Description.Abstract" content="Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement security mechanisms, so that all conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes the trade-offs of each.">
+      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.510, 2010-02-20 17:14:25, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
+      <link rel="schema.dct" href="http://purl.org/dc/terms/">
+      <meta name="dct.creator" content="Hodges, J.">
+      <meta name="dct.creator" content="Leiba, B.">
+      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-security-properties-latest">
+      <meta name="dct.issued" scheme="ISO8601" content="2009-03">
+      <meta name="dct.abstract" content="Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement (MTI) security mechanisms, so that all conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes the trade-offs of each.">
+      <meta name="description" content="Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement (MTI) security mechanisms, so that all conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes the trade-offs of each.">
    </head>
    <body>
+      <table summary="header information" class="header" border="0" cellpadding="1" cellspacing="1">
+         <tr>
+            <td class="header left">Network Working Group</td>
+            <td class="header right">P. Hoffman</td>
+         </tr>
+         <tr>
+            <td class="header left">Internet Draft</td>
+            <td class="header right">VPN Consortium</td>
+         </tr>
+         <tr>
+            <td class="header left">
+               &lt;draft-ietf-httpbis-security-properties-latest&gt;
+            </td>
+            <td class="header right">A. Melnikov</td>
+         </tr>
+         <tr>
+            <td class="header left">Intended status: Informational</td>
+            <td class="header right">Isode Ltd.</td>
+         </tr>
+         <tr>
+            <td class="header left">Expires: September 2009</td>
+            <td class="header right">March 9, 2009</td>
+         </tr>
+      <table class="header">
+         <tbody>
+            <tr>
+               <td class="left">Network Working Group</td>
+               <td class="right">J. Hodges</td>
+            </tr>
+            <tr>
+               <td class="left">Internet-Draft</td>
+               <td class="right">PayPal</td>
+            </tr>
+            <tr>
+               <td class="left">Intended status: Informational</td>
+               <td class="right">B. Leiba</td>
+            </tr>
+            <tr>
+               <td class="left">Expires: September 2009</td>
+               <td class="right">Huawei Technologies</td>
+            </tr>
+            <tr>
+               <td class="left"></td>
+               <td class="right">March 2009</td>
+            </tr>
+         </tbody>
       </table>
       <p class="title">Security Requirements for HTTP<br><span class="filename">draft-ietf-httpbis-security-properties-latest</span></p>
       <h1><a id="rfc.status" href="#rfc.status">Status of this Memo</a></h1>
       <p>This Internet-Draft is submitted to IETF pursuant to, and in full conformance with, the provisions of BCP 78 and BCP 79. This
          document may contain material from IETF Documents or IETF Contributions published or made publicly available before November
 , 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to
          allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s)
          controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative
          works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate
          it into languages other than English.
+      <p>This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may contain
+         material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s)
+         controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of
+         such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the
+         copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of
+         it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it
+         into languages other than English.
       </p>
       <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note
 …
          in progress”.
       </p>
       <p>The list of current Internet-Drafts can be accessed at &lt;<a href="http://www.ietf.org/ietf/1id-abstracts.txt">http://www.ietf.org/ietf/1id-abstracts.txt</a>&gt;.
       </p>
       <p>The list of Internet-Draft Shadow Directories can be accessed at &lt;<a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>&gt;.
+      <p>The list of current Internet-Drafts can be accessed at <a href="http://www.ietf.org/ietf/1id-abstracts.txt">http://www.ietf.org/ietf/1id-abstracts.txt</a>.
+      </p>
+      <p>The list of Internet-Draft Shadow Directories can be accessed at <a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>.
       </p>
       <p>This Internet-Draft will expire in September 2009.</p>
 …
       </p>
       <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
       <p>Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement security mechanisms, so that all conformant
          implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes
          the trade-offs of each.
+      <p>Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement (MTI) security mechanisms, so that all
+         conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies,
+         and analyzes the trade-offs of each.
       </p>
       <hr class="noprint">
       <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;Introduction
       </h1>
       <p id="rfc.section.1.p.1">Recent IESG practice dictates that IETF protocols are required to specify mandatory to implement security mechanisms. "The
          IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementers to provide strong security. RFC 3365 does not define
+      <p id="rfc.section.1.p.1">Recent IESG practice dictates that IETF protocols be required to specify mandatory-to-implement (MTI) security mechanisms.
+         "The IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementers to provide strong security. RFC 3365 does not define
          the term "strong security".
       </p>
       <p id="rfc.section.1.p.2">"Security Mechanisms for the Internet" <a href="#RFC3631"><cite title="Security Mechanisms for the Internet">[RFC3631]</cite></a> is not an IETF procedural RFC, but it is perhaps most relevant. Section 2.2 states:
       </p>
       <div id="rfc.figure.u.1"></div><pre>
+      <div id="rfc.figure.u.1"></div> <pre>
   We have evolved in the IETF the notion of "mandatory to implement"
   mechanisms.  This philosophy evolves from our primary desire to
 …
   selection of non-overlapping mechanisms being deployed in the
   different implementations.
 </pre><p id="rfc.section.1.p.4">This document examines the effects of applying security constraints to Web applications, documents the properties that result
+                </pre> <p id="rfc.section.1.p.4">This document examines the effects of applying security constraints to Web applications, documents the properties that result
          from each method, and will make Best Current Practice recommendations for HTTP security in a later document version. At the
          moment, it is mostly a laundry list of security technologies and tradeoffs.
+      </p>
+      <p id="rfc.section.1.p.5">[[ OVERALL ISSUE: It isn't entirely clear to the present editors what the purpose of this document is. On one hand it could
+         be a compendium of peer-entity authentication mechanisms (as it is presently) and make MTI recommendations thereof, or it
+         could be a place for various security considerations (either coalesced here from the other httpbis specs, or reserved for
+         the more gnarly cross-spec composite ones), or both. This needs to be clarified. ]]
       </p>
       <hr class="noprint">
 …
       </h1>
       <p id="rfc.section.2.p.1">For HTTP, the IETF generally defines "security mechanisms" as some combination of access authentication and/or a secure transport.</p>
+      <p id="rfc.section.2.p.2">[[ There is a suggestion that this section be split into "browser-like" and "automation-like" subsections. ]]</p>
+      <p id="rfc.section.2.p.2">[[ There is a suggestion that this section be split into "browser-like" and "automation-like" subsections. See: </p>
+      <ul class="empty">
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0180.html</li>
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0183.html</li>
+      </ul>
+      <p> ]]</p>
       <p id="rfc.section.2.p.3">[[ NTLM (shudder) was brought up in the WG a few times in the discussion of the -00 draft. Should we add a section on it?
+         ]]
+      </p>
+         See..
+      </p>
+      <ul class="empty">
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0132.html</li>
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0135.html</li>
+      </ul>
+      <p> ]]</p>
       <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;Forms And Cookies
       </h2>
+      <p id="rfc.section.2.1.p.1">Almost all HTTP authentication that involves a human using a web browser is accomplished through HTML forms, with session
+      <p id="rfc.section.2.1.p.1">[[ JH: I am not convinced that this subsection properly belongs in this overall section in that "HTTP+HTML Form based authentication"
+         &lt;http://en.wikipedia.org/wiki/HTTP%2BHTML_Form_based_authentication&gt; is not properly a part of HTTP itself. Rather, it is
+         a piece of applications layered on top of HTTP. Use of cookies for state management (e.g. session maintanence) can be considered
+         such, however (although there is no overall specification for HTTP user agents stipulating that they must implement cookies
+         (nominally <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>)). Perhaps this section should be should be retitled "HTTP Authentication".
+      </p>
+      <p id="rfc.section.2.1.p.2">Note: The httpstate WG was recently chartered to develop a successor to <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. See..
+      </p>
+      <ul class="empty">
+         <li>http://www.ietf.org/dyn/wg/charter/httpstate-charter.html</li>
+      </ul>
+      <p id="rfc.section.2.1.p.3">]]</p>
+      <p id="rfc.section.2.1.p.4">Almost all HTTP authentication that involves a human using a web browser is accomplished through HTML forms, with session
          identifiers stored in cookies. For cookies, most implementations rely on the "Netscape specification", which is described
          loosely in section 10 of "HTTP State Management Mechanism" <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. The protocol in RFC 2109 is relatively widely implemented, but most clients don't advertise support for it. RFC 2109 was
          later updated <a href="#RFC2965"><cite title="HTTP State Management Mechanism">[RFC2965]</cite></a>, but the newer version is not widely implemented.
       </p>
       <p id="rfc.section.2.1.p.2">Forms and cookies have many properties that make them an excellent solution for some implementers. However, many of those
+      <p id="rfc.section.2.1.p.5">Forms and cookies have many properties that make them an excellent solution for some implementers. However, many of those
          properties introduce serious security trade-offs.
       </p>
       <p id="rfc.section.2.1.p.3">HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases
+      <p id="rfc.section.2.1.p.6">HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases
          user reliance on the appearance of the interface. Many users do not understand the construction of URIs <a href="#RFC3986"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, or their presentation in common clients <a href="#PhishingHOWTO"><cite title="Phishing Tips and Techniques">[PhishingHOWTO]</cite></a>. As a result, forms are extremely vulnerable to spoofing.
       </p>
       <p id="rfc.section.2.1.p.4">HTML forms provide acceptable internationalization if used carefully, at the cost of being transmitted as normal HTTP content
+      <p id="rfc.section.2.1.p.7">HTML forms provide acceptable internationalization if used carefully, at the cost of being transmitted as normal HTTP content
          in all cases (credentials are not differentiated in the protocol).
       </p>
       <p id="rfc.section.2.1.p.5">Many Web browsers have an auto-complete feature that stores a user's information and pre-populates fields in forms. This is
+      <p id="rfc.section.2.1.p.8">Many Web browsers have an auto-complete feature that stores a user's information and pre-populates fields in forms. This is
          considered to be a convenience mechanism, and convenience mechanisms often have negative security properties. The security
          concerns with auto-completion are particularly poignant for web browsers that reside on computers with multiple users. HTML
 …
          is clear that some form creators do not use this facility when they should.
       </p>
       <p id="rfc.section.2.1.p.6">The cookies that result from a successful form submission make it unnecessary to validate credentials with each HTTP request;
+      <p id="rfc.section.2.1.p.9">The cookies that result from a successful form submission make it unnecessary to validate credentials with each HTTP request;
          this makes cookies an excellent property for scalability. Cookies are susceptible to a large variety of XSS (cross-site scripting)
          attacks, and measures to prevent such attacks will never be as stringent as necessary for authentication credentials because
 …
          data.
       </p>
       <p id="rfc.section.2.1.p.7">HTML forms and cookies provide flexible ways of ending a session from the client.</p>
       <p id="rfc.section.2.1.p.8">HTML forms require an HTML rendering engine for which many protocols have no use.</p>
+      <p id="rfc.section.2.1.p.10">HTML forms and cookies provide flexible ways of ending a session from the client.</p>
+      <p id="rfc.section.2.1.p.11">HTML forms require an HTML rendering engine for which many protocols have no use.</p>
       <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;HTTP Access Authentication
       </h2>
 …
       </p>
       <p id="rfc.section.2.2.2.p.2">Digest has some properties that are preferable to Basic and Cookies. Credentials are not immediately reusable by parties that
          observe or receive them, and session data can be transmitted along side credentials with each request, allowing servers to
+         observe or receive them, and session data can be transmitted alongside credentials with each request, allowing servers to
          validate credentials only when absolutely necessary. Authentication data session keys are distinct from other protocol traffic.
       </p>
 …
          service might be a barrier to deployment.
       </p>
+      <h4 id="rfc.section.2.2.4.2"><a href="#rfc.section.2.2.4.2">2.2.4.2</a>&nbsp;OAuth
+      </h4>
+      <p id="rfc.section.2.2.4.2.p.1">[[ See.. </p>
+      <ul class="empty">
+         <li>http://www.ietf.org/id/draft-hammer-http-token-auth-01.txt</li>
+         <li>http://www.ietf.org/id/draft-hammer-oauth-10.txt</li>
+      </ul>
+      <p> ]]</p>
       <h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;Centrally-Issued Tickets
       </h2>
 …
          application protocols.
       </p>
+      <p id="rfc.section.2.4.p.2">[[ This section could really use a good definition of "Web Services" to differentiate it from REST. ]]</p>
+      <p id="rfc.section.2.4.p.2">[[ This section could really use a good definition of "Web Services" to differentiate it from REST. See.. </p>
+      <ul class="empty">
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0536.html</li>
+      </ul>
+      <p> ]]</p>
       <h2 id="rfc.section.2.5"><a href="#rfc.section.2.5">2.5</a>&nbsp;Transport Layer Security
       </h2>
 …
       </p>
       <hr class="noprint">
       <h1 id="rfc.section.4" class="np"><a href="#rfc.section.4">4.</a>&nbsp;Security Considerations
+      <h1 id="rfc.section.4" class="np"><a href="#rfc.section.4">4.</a>&nbsp;IANA Considerations
       </h1>
+      <p id="rfc.section.4.p.1">This entire document is about security considerations.</p>
+      <h1 class="np" id="rfc.references"><a href="#rfc.section.5" id="rfc.section.5">5.</a> Normative References
+      <p id="rfc.section.4.p.1">This document has no actions for IANA.</p>
+      <hr class="noprint">
+      <h1 id="rfc.section.5" class="np"><a href="#rfc.section.5">5.</a>&nbsp;Security Considerations
       </h1>
+      <table summary="Normative References">
+      <p id="rfc.section.5.p.1">This entire document is about security considerations.</p>
+      <hr class="noprint">
+      <h1 id="rfc.references" class="np"><a id="rfc.section.6" href="#rfc.section.6">6.</a> References
+      </h1>
+      <h2 class="np" id="rfc.references.1"><a href="#rfc.section.6.1" id="rfc.section.6.1">6.1</a> Normative References
+      </h2>
+      <table>
          <tr>
             <td class="reference"><b id="RFC2026">[RFC2026]</b></td>
 …
          </tr>
          <tr>
+            <td class="reference"><b id="RFC2145">[RFC2145]</b></td>
+            <td class="top"><a href="mailto:mogul@wrl.dec.com" title="Western Research Laboratory">Mogul, J.C.</a>, <a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.T.</a>, <a href="mailto:jg@w3.org" title="MIT Laboratory for Computer Science">Gettys, J.</a>, and <a href="mailto:frystyk@w3.org" title="W3 Consortium">H.F. Nielsen</a>, “<a href="http://tools.ietf.org/html/rfc2145">Use and Interpretation of HTTP Version Numbers</a>”, RFC&nbsp;2145, May&nbsp;1997.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC2616">[RFC2616]</b></td>
+            <td class="top"><a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="World Wide Web Consortium">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="World Wide Web Consortium">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">T. Berners-Lee</a>, “<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC&nbsp;2616, June&nbsp;1999.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC2617">[RFC2617]</b></td>
+            <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.M.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.L.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.D.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.J.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC2965">[RFC2965]</b></td>
+            <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D. M.</a> and <a href="mailto:lou@montulli.org" title="Epinions.com, Inc.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2965">HTTP State Management Mechanism</a>”, RFC&nbsp;2965, October&nbsp;2000.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC3365">[RFC3365]</b></td>
+            <td class="top">Schiller, J., “<a href="http://tools.ietf.org/html/rfc3365">Strong Security Requirements for Internet Engineering Task Force Standard Protocols</a>”, BCP&nbsp;61, RFC&nbsp;3365, August&nbsp;2002.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC3631">[RFC3631]</b></td>
+            <td class="top">Bellovin, S., Schiller, J., and C. Kaufman, “<a href="http://tools.ietf.org/html/rfc3631">Security Mechanisms for the Internet</a>”, RFC&nbsp;3631, December&nbsp;2003.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC3986">[RFC3986]</b></td>
+            <td class="top"><a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R.</a>, and <a href="mailto:LMM@acm.org" title="Adobe Systems Incorporated">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC4178">[RFC4178]</b></td>
+            <td class="top">Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, “<a href="http://tools.ietf.org/html/rfc4178">The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism</a>”, RFC&nbsp;4178, October&nbsp;2005.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC4559">[RFC4559]</b></td>
+            <td class="top">Jaganathan, K., Zhu, L., and J. Brezak, “<a href="http://tools.ietf.org/html/rfc4559">SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows</a>”, RFC&nbsp;4559, June&nbsp;2006.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="Apache_Digest">[Apache_Digest]</b></td>
+            <td class="top">Apache Software Foundation, , “<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">Apache HTTP Server - mod_auth_digest</a>”, &lt;<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html</a>&gt;.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="PhishingHOWTO">[PhishingHOWTO]</b></td>
+            <td class="top">Gutmann, P., “<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">Phishing Tips and Techniques</a>”, February&nbsp;2008, &lt;<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf</a>&gt;.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="WS-Pagecount">[WS-Pagecount]</b></td>
+            <td class="top">Bray, T., “<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">WS-Pagecount</a>”, September&nbsp;2004, &lt;<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research</a>&gt;.
+            </td>
+         </tr>
+      </table>
+      <h2 id="rfc.references.2"><a href="#rfc.section.6.2" id="rfc.section.6.2">6.2</a> Informative References
+      </h2>
+      <table>
+         <tr>
             <td class="reference"><b id="RFC2109">[RFC2109]</b></td>
             <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D.M.</a> and <a href="mailto:montulli@netscape.com" title="Netscape Communications Corp.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2109">HTTP State Management Mechanism</a>”, RFC&nbsp;2109, February&nbsp;1997.
             </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC2145">[RFC2145]</b></td>
-            <td class="top"><a href="mailto:mogul@wrl.dec.com" title="Western Research Laboratory">Mogul, J.C.</a>, <a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.T.</a>, <a href="mailto:jg@w3.org" title="MIT Laboratory for Computer Science">Gettys, J.</a>, and <a href="mailto:frystyk@w3.org" title="W3 Consortium">H.F. Nielsen</a>, “<a href="http://tools.ietf.org/html/rfc2145">Use and Interpretation of HTTP Version Numbers</a>”, RFC&nbsp;2145, May&nbsp;1997.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC2616">[RFC2616]</b></td>
-            <td class="top"><a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="World Wide Web Consortium">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="World Wide Web Consortium">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">T. Berners-Lee</a>, “<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC&nbsp;2616, June&nbsp;1999.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC2617">[RFC2617]</b></td>
-            <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.M.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.L.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.D.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.J.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC2965">[RFC2965]</b></td>
-            <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D. M.</a> and <a href="mailto:lou@montulli.org" title="Epinions.com, Inc.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2965">HTTP State Management Mechanism</a>”, RFC&nbsp;2965, October&nbsp;2000.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC3365">[RFC3365]</b></td>
-            <td class="top">Schiller, J., “<a href="http://tools.ietf.org/html/rfc3365">Strong Security Requirements for Internet Engineering Task Force Standard Protocols</a>”, BCP&nbsp;61, RFC&nbsp;3365, August&nbsp;2002.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC3631">[RFC3631]</b></td>
-            <td class="top">Bellovin, S., Schiller, J., and C. Kaufman, “<a href="http://tools.ietf.org/html/rfc3631">Security Mechanisms for the Internet</a>”, RFC&nbsp;3631, December&nbsp;2003.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC3986">[RFC3986]</b></td>
-            <td class="top"><a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R.</a>, and <a href="mailto:LMM@acm.org" title="Adobe Systems Incorporated">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC4178">[RFC4178]</b></td>
-            <td class="top">Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, “<a href="http://tools.ietf.org/html/rfc4178">The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism</a>”, RFC&nbsp;4178, October&nbsp;2005.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="RFC4559">[RFC4559]</b></td>
-            <td class="top">Jaganathan, K., Zhu, L., and J. Brezak, “<a href="http://tools.ietf.org/html/rfc4559">SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows</a>”, RFC&nbsp;4559, June&nbsp;2006.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="Apache_Digest">[Apache_Digest]</b></td>
-            <td class="top">Apache Software Foundation, , “<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">Apache HTTP Server - mod_auth_digest</a>”, &lt;<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html</a>&gt;.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="PhishingHOWTO">[PhishingHOWTO]</b></td>
-            <td class="top">Gutmann, P., “<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">Phishing Tips and Techniques</a>”, February&nbsp;2008, &lt;<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf</a>&gt;.
-            </td>
-         </tr>
-         <tr>
-            <td class="reference"><b id="WS-Pagecount">[WS-Pagecount]</b></td>
-            <td class="top">Bray, T., “<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">WS-Pagecount</a>”, September&nbsp;2004, &lt;<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research</a>&gt;.
-            </td>
          </tr>
       </table>
       <hr class="noprint">
+      <h1 id="rfc.authors" class="np"><a href="#rfc.authors">Authors' Addresses</a></h1>
+      <address class="vcard"><span class="vcardline"><span class="fn">Paul Hoffman</span><span class="n hidden"><span class="family-name">Hoffman</span><span class="given-name">Paul</span></span></span><span class="org vcardline">VPN Consortium</span><span class="vcardline">EMail: <a href="mailto:paul.hoffman@vpnc.org"><span class="email">paul.hoffman@vpnc.org</span></a></span></address>
+      <address class="vcard"><span class="vcardline"><span class="fn">Alexey Melnikov</span><span class="n hidden"><span class="family-name">Melnikov</span><span class="given-name">Alexey</span></span></span><span class="org vcardline">Isode Ltd.</span><span class="vcardline">EMail: <a href="mailto:alexey.melnikov@isode.com"><span class="email">alexey.melnikov@isode.com</span></a></span></address>
+      <div class="avoidbreak">
+         <h1 id="rfc.authors" class="np"><a href="#rfc.authors">Authors' Addresses</a></h1>
+         <address class="vcard"><span class="vcardline"><span class="fn">Jeff Hodges</span><span class="n hidden"><span class="family-name">Hodges</span><span class="given-name">Jeff</span></span></span><span class="org vcardline">PayPal</span><span class="vcardline">EMail: <a href="mailto:Jeff.Hodges@PayPal.com"><span class="email">Jeff.Hodges@PayPal.com</span></a></span></address>
+         <address class="vcard"><span class="vcardline"><span class="fn">Barry Leiba</span><span class="n hidden"><span class="family-name">Leiba</span><span class="given-name">Barry</span></span></span><span class="org vcardline">Huawei Technologies</span><span class="vcardline tel">Phone: <a href="tel:+16468270648"><span class="value">+1 646 827 0648</span></a></span><span class="vcardline">EMail: <a href="mailto:barryleiba@computer.org"><span class="email">barryleiba@computer.org</span></a></span><span class="vcardline">URI: <a href="http://internetmessagingtechnology.org/" class="url">http://internetmessagingtechnology.org/</a></span></address>
+      </div>
       <hr class="noprint">
       <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;Acknowledgements
 …
       </h1>
       <p id="rfc.section.B.p.1">[This entire section is to be removed when published as an RFC.]</p>
       <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and   draft-ietf-httpbis-security-properties-00
+      <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and                 draft-ietf-httpbis-security-properties-00
       </h2>
       <p id="rfc.section.B.1.p.1">Changed the authors to Paul Hoffman and Alexey Melnikov, with permission of Rob Sayre.</p>
 …
       <p id="rfc.section.B.3.p.2">Added the section on TLS for authentication.</p>
       <p id="rfc.section.B.3.p.3">Filled in section 2.5.</p>
+      <h2 id="rfc.section.B.4"><a href="#rfc.section.B.4">B.4</a>&nbsp;Changes between -02 and -03
+      </h2>
+      <p id="rfc.section.B.4.p.1">Changed IPR licensing from "full3978" to "pre5378Trust200902".</p>
+      <h2 id="rfc.section.B.5"><a href="#rfc.section.B.5">B.5</a>&nbsp;Changes between -03 and -04
+      </h2>
+      <p id="rfc.section.B.5.p.1">Changed authors to be Jeff Hodges (JH) and Barry Leiba (BL) with permission of Paul Hoffman, Alexey Melnikov, and Mark Nottingham
+         (httpbis chair).
+      </p>
+      <p id="rfc.section.B.5.p.2">Added "OVERALL ISSUE" to introduction.</p>
+      <p id="rfc.section.B.5.p.3">Added links to email messages on mailing list(s) where various suggestions for this document were brought up. I.e. added various
+         links to those comments herein delimited by "[[...]]" braces.
+      </p>
+      <p id="rfc.section.B.5.p.4">Noted JH's belief that "HTTP+HTML Form based authentication" aka "Forms And Cookies" doesn't properly belong in the section
+         where it presently resides. Added link to httpstate WG.
+      </p>
+      <p id="rfc.section.B.5.p.5">Added references to OAuth. Section needs to be filled-in as yet.</p>
+      <p id="rfc.section.B.5.p.6">Moved ref to RFC2109 to new "Informative References" section, and added a placeholder "IANA Considerations" section in order
+         to satisfy IDnits checking.
+      </p>
    </body>
 </html>

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.txt

-                      r551
+                      r787
 Network Working Group                                         P. Hoffman
 Internet-Draft                                            VPN Consortium
 Intended status: Informational                               A. Melnikov
 Expires: September 10, 2009                                   Isode Ltd.
                                                            March 9, 2009
+Network Working Group                                          J. Hodges
+Internet-Draft                                                    PayPal
+Intended status: Informational                                  B. Leiba
+Expires: September 2, 2009                           Huawei Technologies
+                                                              March 2009
 …
    http://www.ietf.org/shadow.html.
    This Internet-Draft will expire on September 10, 2009.
+   This Internet-Draft will expire on September 2, 2009.
 Copyright Notice
 …
 Hoffman & Melnikov     Expires September 10, 2009               [Page 1]
+Hodges & Leiba          Expires September 2, 2009               [Page 1]
 …
    Recent IESG practice dictates that IETF protocols must specify
    mandatory-to-implement security mechanisms, so that all conformant
    implementations share a common baseline.  This document examines all
    widely deployed HTTP security technologies, and analyzes the trade-
    offs of each.
+   mandatory-to-implement (MTI) security mechanisms, so that all
+   conformant implementations share a common baseline.  This document
+   examines all widely deployed HTTP security technologies, and analyzes
+   the trade-offs of each.
 …
 .  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
 .  Existing HTTP Security Mechanisms  . . . . . . . . . . . . . .  3
 .1.  Forms And Cookies  . . . . . . . . . . . . . . . . . . . .  3
+.1.  Forms And Cookies  . . . . . . . . . . . . . . . . . . . .  4
 .2.  HTTP Access Authentication . . . . . . . . . . . . . . . .  5
+.2.1.  Basic Authentication . . . . . . . . . . . . . . . . .  5
+.2.2.  Digest Authentication  . . . . . . . . . . . . . . . .  5
+.2.3.  Authentication Using Certificates in TLS . . . . . . .  6
+.2.4.  Other Access Authentication Schemes  . . . . . . . . .  6
+.3.  Centrally-Issued Tickets . . . . . . . . . . . . . . . . .  7
+.4.  Web Services . . . . . . . . . . . . . . . . . . . . . . .  7
+.5.  Transport Layer Security . . . . . . . . . . . . . . . . .  8
+.  Revisions To HTTP  . . . . . . . . . . . . . . . . . . . . . .  8
+.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
+.  Normative References . . . . . . . . . . . . . . . . . . . . .  8
+   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . .  9
+   Appendix B.  Document History  . . . . . . . . . . . . . . . . . . 10
+.2.1.  Basic Authentication . . . . . . . . . . . . . . . . .  6
+.2.2.  Digest Authentication  . . . . . . . . . . . . . . . .  6
+.2.3.  Authentication Using Certificates in TLS . . . . . . .  7
+.2.4.  Other Access Authentication Schemes  . . . . . . . . .  7
+.3.  Centrally-Issued Tickets . . . . . . . . . . . . . . . . .  8
+.4.  Web Services . . . . . . . . . . . . . . . . . . . . . . .  8
+.5.  Transport Layer Security . . . . . . . . . . . . . . . . .  9
+.  Revisions To HTTP  . . . . . . . . . . . . . . . . . . . . . .  9
+.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
+.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
+.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
+.2.  Informative References . . . . . . . . . . . . . . . . . . 11
+   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . . 11
+   Appendix B.  Document History  . . . . . . . . . . . . . . . . . . 11
      B.1.  Changes between draft-sayre-http-security-variance-00
+           and   draft-ietf-httpbis-security-properties-00  . . . . . 10
+     B.2.  Changes between -00 and -01  . . . . . . . . . . . . . . . 10
+     B.3.  Changes between -01 and -02  . . . . . . . . . . . . . . . 11
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
+Hoffman & Melnikov     Expires September 10, 2009               [Page 2]
+           and
+           draft-ietf-httpbis-security-properties-00  . . . . . . . . 11
+     B.2.  Changes between -00 and -01  . . . . . . . . . . . . . . . 11
+     B.3.  Changes between -01 and -02  . . . . . . . . . . . . . . . 12
+     B.4.  Changes between -02 and -03  . . . . . . . . . . . . . . . 12
+     B.5.  Changes between -03 and -04  . . . . . . . . . . . . . . . 13
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
+Hodges & Leiba          Expires September 2, 2009               [Page 2]
 …
 .  Introduction
    Recent IESG practice dictates that IETF protocols are required to
    specify mandatory to implement security mechanisms.  "The IETF
+   Recent IESG practice dictates that IETF protocols be required to
+   specify mandatory-to-implement (MTI) security mechanisms.  "The IETF
    Standards Process" [RFC2026] does not require that protocols specify
    mandatory security mechanisms.  "Strong Security Requirements for
 …
    laundry list of security technologies and tradeoffs.
+   [[ OVERALL ISSUE: It isn't entirely clear to the present editors what
+   the purpose of this document is.  On one hand it could be a
+   compendium of peer-entity authentication mechanisms (as it is
+   presently) and make MTI recommendations thereof, or it could be a
+   place for various security considerations (either coalesced here from
+   the other httpbis specs, or reserved for the more gnarly cross-spec
+   composite ones), or both.  This needs to be clarified. ]]
 .  Existing HTTP Security Mechanisms
 …
    [[ There is a suggestion that this section be split into "browser-
+   like" and "automation-like" subsections. ]]
+   like" and "automation-like" subsections.  See:
+Hodges & Leiba          Expires September 2, 2009               [Page 3]
+Internet-Draft       Security Requirements for HTTP           March 2009
+      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
+.html
+      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
+.html
+   ]]
    [[ NTLM (shudder) was brought up in the WG a few times in the
+   discussion of the -00 draft.  Should we add a section on it? ]]
+   discussion of the -00 draft.  Should we add a section on it?  See..
+      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
+.html
+      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
+.html
+   ]]
 .1.  Forms And Cookies
+   [[ JH: I am not convinced that this subsection properly belongs in
+   this overall section in that "HTTP+HTML Form based authentication"
+   <http://en.wikipedia.org/wiki/HTTP%2BHTML_Form_based_authentication>
+   is not properly a part of HTTP itself.  Rather, it is a piece of
+   applications layered on top of HTTP.  Use of cookies for state
+   management (e.g. session maintanence) can be considered such, however
+   (although there is no overall specification for HTTP user agents
+   stipulating that they must implement cookies (nominally [RFC2109])).
+   Perhaps this section should be should be retitled "HTTP
+   Authentication".
+   Note: The httpstate WG was recently chartered to develop a successor
+   to [RFC2109].  See..
+      http://www.ietf.org/dyn/wg/charter/httpstate-charter.html
+   ]]
    Almost all HTTP authentication that involves a human using a web
 …
    stored in cookies.  For cookies, most implementations rely on the
    "Netscape specification", which is described loosely in section 10 of
-Hoffman & Melnikov     Expires September 10, 2009               [Page 3]
-Internet-Draft       Security Requirements for HTTP           March 2009
    "HTTP State Management Mechanism" [RFC2109].  The protocol in RFC
 is relatively widely implemented, but most clients don't
    advertise support for it.  RFC 2109 was later updated [RFC2965], but
    the newer version is not widely implemented.
+Hodges & Leiba          Expires September 2, 2009               [Page 4]
+Internet-Draft       Security Requirements for HTTP           March 2009
    Forms and cookies have many properties that make them an excellent
 …
    have no use.
-Hoffman & Melnikov     Expires September 10, 2009               [Page 4]
-Internet-Draft       Security Requirements for HTTP           March 2009
 .2.  HTTP Access Authentication
 …
    which defines two optional mechanisms.  Both of these mechanisms are
    extremely rarely used in comparison to forms and cookies, but some
+Hodges & Leiba          Expires September 2, 2009               [Page 5]
+Internet-Draft       Security Requirements for HTTP           March 2009
    degree of support for one or both is available in many
    implementations.  Neither scheme provides presentation control,
 …
    Digest has some properties that are preferable to Basic and Cookies.
    Credentials are not immediately reusable by parties that observe or
    receive them, and session data can be transmitted along side
+   receive them, and session data can be transmitted alongside
    credentials with each request, allowing servers to validate
    credentials only when absolutely necessary.  Authentication data
 …
    implementations do not implement the mode that provides full message
    integrity.  Perhaps one reason is that implementation experience has
-Hoffman & Melnikov     Expires September 10, 2009               [Page 5]
-Internet-Draft       Security Requirements for HTTP           March 2009
    shown that in some cases, especially those involving large requests
    or responses such as streams, the message integrity mode is
 …
    whether message-body integrity has been violated and hence whether
    the request can be processed.
+Hodges & Leiba          Expires September 2, 2009               [Page 6]
+Internet-Draft       Security Requirements for HTTP           March 2009
    Digest is extremely susceptible to offline dictionary attacks, making
 …
    SPNEGO [RFC4178] GSSAPI [RFC4559].  In Microsoft's implementation,
    SPNEGO allows selection between Kerberos and NTLM (Microsoft NT Lan
-Hoffman & Melnikov     Expires September 10, 2009               [Page 6]
-Internet-Draft       Security Requirements for HTTP           March 2009
    Manager protocols).
 …
    cryptography, but extensions for use of other authentication
    mechnanisms such as PKIX certificates and two-factor tokens are also
+Hodges & Leiba          Expires September 2, 2009               [Page 7]
+Internet-Draft       Security Requirements for HTTP           March 2009
    common.  Kerberos was designed to work under the assumption that
    packets traveling along the network can be read, modified, and
 …
    However the requirement for having a separate network authentication
    service might be a barrier to deployment.
+.2.4.2.  OAuth
+   [[ See..
+      http://www.ietf.org/id/draft-hammer-http-token-auth-01.txt
+      http://www.ietf.org/id/draft-hammer-oauth-10.txt
+   ]]
 .3.  Centrally-Issued Tickets
 …
    based application protocols.
+Hodges & Leiba          Expires September 2, 2009               [Page 8]
+Internet-Draft       Security Requirements for HTTP           March 2009
    [[ This section could really use a good definition of "Web Services"
+   to differentiate it from REST. ]]
+Hoffman & Melnikov     Expires September 10, 2009               [Page 7]
+Internet-Draft       Security Requirements for HTTP           March 2009
+   to differentiate it from REST.  See..
+      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
+.html
+   ]]
 .5.  Transport Layer Security
 …
+.  Security Considerations
+.  IANA Considerations
+   This document has no actions for IANA.
+.  Security Considerations
    This entire document is about security considerations.
+.  Normative References
+.  References
+Hodges & Leiba          Expires September 2, 2009               [Page 9]
+Internet-Draft       Security Requirements for HTTP           March 2009
+.1.  Normative References
    [Apache_Digest]
 …
 ", BCP 9, RFC 2026, October 1996.
-   [RFC2109]  Kristol, D. and L. Montulli, "HTTP State Management
-Hoffman & Melnikov     Expires September 10, 2009               [Page 8]
-Internet-Draft       Security Requirements for HTTP           March 2009
-              Mechanism", RFC 2109, February 1997.
    [RFC2145]  Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use
               and Interpretation of HTTP Version Numbers", RFC 2145,
 …
    [RFC4559]  Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
+Hodges & Leiba          Expires September 2, 2009              [Page 10]
+Internet-Draft       Security Requirements for HTTP           March 2009
               Kerberos and NTLM HTTP Authentication in Microsoft
               Windows", RFC 4559, June 2006.
 …
               www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research>.
+.2.  Informative References
+   [RFC2109]  Kristol, D. and L. Montulli, "HTTP State Management
+              Mechanism", RFC 2109, February 1997.
 Appendix A.  Acknowledgements
 …
-Hoffman & Melnikov     Expires September 10, 2009               [Page 9]
-Internet-Draft       Security Requirements for HTTP           March 2009
 Appendix B.  Document History
 …
    Added the suggestions about splitting for browsers and automation,
    and about adding NTLM, to be beginning of 2.
+Hodges & Leiba          Expires September 2, 2009              [Page 11]
+Internet-Draft       Security Requirements for HTTP           March 2009
    In 2.1, added "that involves a human using a web browser" in the
 …
    to
-Hoffman & Melnikov     Expires September 10, 2009              [Page 10]
-Internet-Draft       Security Requirements for HTTP           March 2009
 …
    Filled in section 2.5.
+B.4.  Changes between -02 and -03
+   Changed IPR licensing from "full3978" to "pre5378Trust200902".
+Hodges & Leiba          Expires September 2, 2009              [Page 12]
+Internet-Draft       Security Requirements for HTTP           March 2009
+B.5.  Changes between -03 and -04
+   Changed authors to be Jeff Hodges (JH) and Barry Leiba (BL) with
+   permission of Paul Hoffman, Alexey Melnikov, and Mark Nottingham
+   (httpbis chair).
+   Added "OVERALL ISSUE" to introduction.
+   Added links to email messages on mailing list(s) where various
+   suggestions for this document were brought up.  I.e. added various
+   links to those comments herein delimited by "[[...]]" braces.
+   Noted JH's belief that "HTTP+HTML Form based authentication" aka
+   "Forms And Cookies" doesn't properly belong in the section where it
+   presently resides.  Added link to httpstate WG.
+   Added references to OAuth.  Section needs to be filled-in as yet.
+   Moved ref to RFC2109 to new "Informative References" section, and
+   added a placeholder "IANA Considerations" section in order to satisfy
+   IDnits checking.
 Authors' Addresses
+   Paul Hoffman
+   VPN Consortium
+   Email: paul.hoffman@vpnc.org
+   Alexey Melnikov
+   Isode Ltd.
+   Email: alexey.melnikov@isode.com
+Hoffman & Melnikov     Expires September 10, 2009              [Page 11]
+   Jeff Hodges
+   PayPal
+   Email: Jeff.Hodges@PayPal.com
+   Barry Leiba
+   Huawei Technologies
+   Phone: +1 646 827 0648
+   Email: barryleiba@computer.org
+   URI:   http://internetmessagingtechnology.org/
+Hodges & Leiba          Expires September 2, 2009              [Page 13]

draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.xml

-                      r551
+                      r787
   docName="draft-ietf-httpbis-security-properties-latest">
+<?xml-stylesheet type='text/xsl' href='rfc2629xslt/rfc2629.xslt' ?>
+<?rfc toc="yes" ?>
+<?rfc symrefs="yes" ?>
+<?rfc sortrefs="yes"?>
+<?rfc strict="yes" ?>
+<?rfc compact="yes" ?>
+<?rfc subcompact="no" ?>
+<?rfc linkmailto='no'?>
+<?rfc comments="yes"?>
+<?rfc inline="yes"?>
+<front>
+  <title>Security Requirements for HTTP</title>
+  <author initials='P.' surname="Hoffman" fullname='Paul Hoffman'>
+    <organization>VPN Consortium</organization>
+    <address><email>paul.hoffman@vpnc.org</email> </address>
+  </author>
+  <author initials='A.' surname="Melnikov" fullname='Alexey Melnikov'>
+     <organization>Isode Ltd.</organization>
+     <address><email>alexey.melnikov@isode.com</email> </address>
+  </author>
+  <date year="2009" month='March'/>
+  <abstract>
+    <t>Recent IESG practice dictates that IETF protocols must specify
+      mandatory-to-implement security mechanisms, so that
+      all conformant implementations share a common baseline. This
+      document examines all widely deployed HTTP security
+      technologies, and analyzes the trade-offs of
+      each.</t>
+  </abstract>
+</front>
+<middle>
+    <?xml-stylesheet type="text/xsl" href="rfc2629xslt/rfc2629.xslt" ?>
+    <?rfc toc="yes" ?>
+    <?rfc symrefs="yes" ?>
+    <?rfc sortrefs="yes"?>
+    <?rfc strict="yes" ?>
+    <?rfc compact="yes" ?>
+    <?rfc subcompact="no" ?>
+    <?rfc linkmailto="no"?>
+    <?rfc comments="yes"?>
+    <?rfc inline="yes"?>
+    <front>
+        <title>Security Requirements for HTTP</title>
+        <author initials="J." surname="Hodges" fullname="Jeff Hodges">
+            <organization>PayPal</organization>
+            <address>
+                <email>Jeff.Hodges@PayPal.com</email>
+            </address>
+        </author>
+        <author initials='B.' surname="Leiba" fullname='Barry Leiba'>
+            <organization>Huawei Technologies</organization>
+            <address>
+                <phone>+1 646 827 0648</phone>
+                <email>barryleiba@computer.org</email>
+                <uri>http://internetmessagingtechnology.org/</uri>
+            </address>
+        </author>
+        <date year="2009" month="March"/>
+        <abstract>
+            <t>
+                Recent IESG practice dictates that IETF protocols must
+                specify mandatory-to-implement (MTI) security mechanisms, so
+                that all conformant implementations share a common
+                baseline. This document examines all widely deployed
+                HTTP security technologies, and analyzes the
+                trade-offs of each.
+            </t>
+        </abstract>
+    </front>
+    <middle>
+<section title="Introduction">
+<t>Recent IESG practice dictates that IETF protocols are required to
+specify mandatory to implement security mechanisms. "The IETF
+Standards Process" <xref target="RFC2026"/> does not require that
+protocols specify mandatory security mechanisms. "Strong Security
+Requirements for IETF Standard Protocols" <xref target="RFC3365"/>
+requires that all IETF protocols provide a mechanism for implementers
+to provide strong security. RFC 3365 does not define the term "strong
+security".</t>
+<t>"Security Mechanisms for the Internet" <xref target="RFC3631"/> is
+not an IETF procedural RFC, but it is perhaps most relevant. Section
+.2 states:</t>
+<figure><artwork>
+        <section title="Introduction">
+            <t>
+                Recent IESG practice dictates that IETF protocols be
+                required to specify mandatory-to-implement (MTI) security
+                mechanisms. "The IETF Standards Process" <xref
+                target="RFC2026"/> does not require that protocols
+                specify mandatory security mechanisms. "Strong
+                Security Requirements for IETF Standard Protocols"
+                <xref target="RFC3365"/> requires that all IETF
+                protocols provide a mechanism for implementers to
+                provide strong security. RFC 3365 does not define the
+                term "strong security".
+            </t>
+            <t>
+                "Security Mechanisms for the Internet" <xref
+                target="RFC3631"/> is not an IETF procedural RFC, but
+                it is perhaps most relevant. Section 2.2 states:
+            </t>
+            <figure>
+                <artwork>
   We have evolved in the IETF the notion of "mandatory to implement"
   mechanisms.  This philosophy evolves from our primary desire to
 …
   selection of non-overlapping mechanisms being deployed in the
   different implementations.
+</artwork></figure>
+<t>This document examines the effects of applying security constraints
+to Web applications, documents the properties that result from each
+method, and will make Best Current Practice recommendations for HTTP
+security in a later document version. At the moment, it is mostly a
+laundry list of security technologies and tradeoffs.</t>
+</section>
+<section title="Existing HTTP Security Mechanisms">
+<t>For HTTP, the IETF generally defines "security mechanisms" as some
+combination of access authentication and/or a secure transport.</t>
+<t>[[ There is a suggestion that this section be split into
+"browser-like" and "automation-like" subsections. ]]</t>
+<t>[[ NTLM (shudder) was brought up in the WG a few times in
+the discussion of the -00 draft. Should we add a section on it? ]]</t>
+<section title="Forms And Cookies">
+<t>Almost all HTTP authentication that involves a human
+using a web browser is accomplished through HTML forms,
+with session identifiers stored in cookies. For cookies, most implementations
+rely on the "Netscape specification", which is described loosely in
+section 10 of "HTTP State Management Mechanism" <xref
+target="RFC2109"/>. The protocol in RFC 2109 is relatively widely
+implemented, but most clients don't advertise support for it. RFC 2109
+was later updated <xref target="RFC2965"/>, but the newer version is
+not widely implemented.</t>
+<t>Forms and cookies have many properties that make them an
+excellent solution for some implementers. However, many of those
+properties introduce serious security trade-offs.</t>
+<t>HTML forms provide a large degree of control over presentation,
+which is an imperative for many websites. However, this increases user
+reliance on the appearance of the interface. Many users do not
+understand the construction of URIs <xref target="RFC3986"/>, or their
+presentation in common clients <xref target="PhishingHOWTO"/>.
+As a result,
+forms are extremely vulnerable to spoofing.</t>
+<t>HTML forms provide acceptable internationalization if used
+carefully, at the cost of being transmitted as normal HTTP content in
+all cases (credentials are not differentiated in the protocol).</t>
+<t>Many Web browsers have an auto-complete feature that stores a
+user's information and pre-populates fields in forms. This is
+considered to be a convenience mechanism, and convenience mechanisms
+often have negative security properties. The security concerns with
+auto-completion are particularly poignant for web browsers that reside
+on computers with multiple users. HTML forms provide a facility for
+sites to indicate that a field, such as a password, should never be
+pre-populated. However, it is clear that some form creators do not use
+this facility when they should.</t>
+<t>The cookies that result from a successful form submission make it
+unnecessary to validate credentials with each HTTP request; this makes
+cookies an excellent property for scalability. Cookies are susceptible
+to a large variety of XSS (cross-site scripting) attacks, and measures
+to prevent such attacks will never be as stringent as necessary for
+authentication credentials because cookies are used for many purposes.
+Cookies are also susceptible to a wide variety of attacks from
+malicious intermediaries and observers. The possible attacks depend on
+the contents of the cookie data. There is no standard format for most
+of the data.</t>
+<t>HTML forms and cookies provide flexible ways of ending a session
+from the client.</t>
+<t>HTML forms require an HTML rendering engine for which many protocols
+have no use.</t>
+</section>
+<section title="HTTP Access Authentication">
+<t>HTTP 1.1 provides a simple authentication framework, "HTTP
+Authentication: Basic and Digest Access Authentication" <xref
+target="RFC2617"/>, which defines two optional mechanisms. Both of these
+mechanisms are extremely rarely used in comparison to forms and
+cookies, but some degree of support for one or both is available in
+many implementations. Neither scheme provides presentation control,
+logout capabilities, or interoperable internationalization.</t>
+<section title="Basic Authentication">
+<t>Basic Authentication (normally called just "Basic") transmits
+usernames and passwords in the clear. It is very easy to implement,
+but not at all secure unless used over a secure transport.</t>
+<t>Basic has very poor scalability properties because credentials must
+be revalidated with every request, and because secure transports
+negate many of HTTP's caching mechanisms. Some implementations use
+cookies in combination with Basic credentials, but there is no
+standard method of doing so.</t>
+<t>Since Basic credentials are clear text, they are reusable by any
+party. This makes them compatible with any authentication database, at
+the cost of making the user vulnerable to mismanaged or malicious
+servers, even over a secure channel.</t>
+<t>Basic is not interoperable when used with credentials that contain
+characters outside of the ISO 8859-1 repertoire.</t>
+</section>
+<section title="Digest Authentication">
+<t>In Digest Authentication, the client transmits the results of
+hashing user credentials with properties of the request and values
+from the server challenge. Digest is susceptible to man-in-the-middle
+attacks when not used over a secure transport.</t>
+<t>Digest has some properties that are preferable to Basic and
+Cookies. Credentials are not immediately reusable by parties that
+observe or receive them, and session data can be transmitted along
+side credentials with each request, allowing servers to validate
+credentials only when absolutely necessary. Authentication data
+session keys are distinct from other protocol traffic.</t>
+<t>Digest includes many modes of operation, but only the simplest
+modes enjoy any degree of interoperability.  For example, most
+implementations do not implement the mode that provides full message
+integrity.  Perhaps one reason is that implementation experience has
+shown that in some cases, especially those involving large requests or
+responses such as streams, the message integrity mode is impractical
+because it requires servers to analyze the full request before
+determining whether the client knows the shared secret or whether
+message-body integrity has been violated and hence whether the request
+can be processed.</t>
+<t>Digest is extremely susceptible to offline dictionary attacks,
+making it practical for attackers to perform a namespace walk
+consisting of a few million passwords for most users.</t>
+<t>Many of the most widely-deployed HTTP/1.1 clients are not compliant
+when GET requests include a query string <xref target="Apache_Digest"/>.</t>
+<t>Digest either requires that authentication databases be expressly designed
+to accommodate it, or requires access to cleartext passwords.
+As a result, many authentication databases that chose to do the former are
+incompatible, including the most common method of storing passwords
+for use with Forms and Cookies.</t>
+<t>Many Digest capabilities included to prevent replay attacks expose
+the server to Denial of Service attacks.</t>
+<t>Digest is not interoperable when used with credentials that contain
+characters outside of the ISO 8859-1 repertoire.</t>
+</section>
+<section title="Authentication Using Certificates in TLS">
+<t>Running HTTP over TLS provides authentication of the HTTP server to
+the client. HTTP over TLS can also provides authentication of the
+client to the server using certificates. Although forms are a much
+more common way to authenticate users to HTTP servers, TLS client
+certificates are widely used in some environments.  The
+public key infrastructure (PKI) used
+to validate certificates in TLS can be rooted in public trust anchors
+or can be based on local trust anchors.</t>
+</section>
+<section title="Other Access Authentication Schemes">
+<t>There are many niche schemes that make use of the HTTP
+Authentication framework, but very few are well documented. Some are
+bound to transport layer connections.</t>
+<section title="Negotiate (GSS-API) Authentication">
+<t>Microsoft has designed an HTTP authentication mechanism that utilizes
+SPNEGO <xref target="RFC4178"/> GSSAPI <xref target='RFC4559'/>. In Microsoft's
+implementation, SPNEGO allows selection between Kerberos and NTLM (Microsoft NT
+Lan Manager protocols).</t>
+<t>In Kerberos, clients and servers rely on a trusted third-party authentication service
+which maintains its own authentication database. Kerberos is typically used with shared
+secret key cryptography, but extensions for use of other authentication mechnanisms such
+as PKIX certificates and two-factor tokens are also common.
+Kerberos was designed to work under the assumption that packets traveling along
+the network can be read, modified, and inserted at will.</t>
+<t>Unlike Digest, Negotiate authentication can take multiple round trips (client sending
+authentication data in Authorization, server sending authentication data in WWW-Authenticate)
+to complete.
+</t>
+<t>Kerberos authentication is generally more secure than Digest. However the requirement
+for having a separate network authentication service might be a barrier to deployment.</t>
+<!--
+Kerberos didn't support Unicode till relatively recently. I am not sure if this
+is an issue with Microsoft's implementation.
+-->
+</section>
+</section>
+</section>
+<section title="Centrally-Issued Tickets">
+<t>Many large Internet services rely on authentication schemes that
+center on clients consulting a single service for a time-limited
+ticket that is validated with undocumented heuristics. Centralized
+ticket issuing has the advantage that users may employ one set of
+credentials for many services, and clients don't send credentials to
+many servers. This approach is often no more than a sophisticated
+application of forms and cookies.</t>
+<t>All of the schemes in wide use are proprietary and non-standard,
+and usually are undocumented. There are many standardization efforts
+in progress, as usual.</t>
+</section>
+<section title='Web Services'>
+<t>Many security properties mentioned in this document have been recast in
+XML-based protocols, using HTTP as a substitute for TCP. Like the
+amalgam of HTTP technologies mentioned above, the XML-based protocols
+are defined by an ever-changing combination of standard and
+vendor-produced specifications, some of which may be obsoleted at any
+time <xref target="WS-Pagecount"/> without any documented change control
+procedures. These protocols usually don't have much in common with the
+Architecture of the World Wide Web. It's not clear why the term "Web" is
+used to group them, but they are obviously out of scope for HTTP-based
+application protocols.</t>
+<t>[[ This section could really use a good definition of
+"Web Services" to differentiate it from REST. ]]</t>
+</section>
+<section title="Transport Layer Security">
+<t>In addition to using TLS for client and/or server authentication, it is also
+very commonly used to protect the confidentiality and integrity of the
+HTTP session. For instance, both HTTP Basic authentication and Cookies
+are often protected against snooping by TLS.</t>
+<t>It should be noted that, in that case, TLS does not protect against a
+breach of the credential store at the server or against a keylogger or
+phishing interface at the client. TLS does not change the fact that
+Basic Authentication passwords are reusable and does not address that
+weakness.</t>
+</section>
+</section>
+<section title="Revisions To HTTP">
+<t>Is is possible that HTTP will be revised in the future. "HTTP/1.1"
+<xref target="RFC2616"/> and "Use and Interpretation of HTTP Version
+Numbers" <xref target="RFC2145"/> define conformance requirements in
+relation to version numbers. In HTTP 1.1, all authentication
+mechanisms are optional, and no single transport substrate is
+specified. Any HTTP revision that adds a mandatory security mechanism
+or transport substrate will have to increment the HTTP version number
+appropriately. All widely used schemes are non-standard and/or
+proprietary.</t>
+</section>
+<section title="Security Considerations">
+<t>This entire document is about security considerations.</t>
+</section>
+</middle>
+<back>
+<references title='Normative References'>
+                </artwork>
+            </figure>
+            <t>
+                This document examines the effects of applying
+                security constraints to Web applications, documents
+                the properties that result from each method, and will
+                make Best Current Practice recommendations for HTTP
+                security in a later document version. At the moment,
+                it is mostly a laundry list of security technologies
+                and tradeoffs.
+            </t>
+            <t>
+                [[ OVERALL ISSUE:  It isn't entirely clear to the present editors
+                what the purpose of this document is. On one hand it
+                could be a compendium of peer-entity authentication
+                mechanisms (as it is presently) and make MTI recommendations
+                thereof, or it could be a place for various security
+                considerations (either coalesced here from the other
+                httpbis specs, or reserved for the more gnarly cross-spec
+                composite ones), or both. This needs to be clarified.
+                ]]
+            </t>
+        </section>
+        <section title="Existing HTTP Security Mechanisms">
+            <t>
+                For HTTP, the IETF generally defines "security
+                mechanisms" as some combination of access
+                authentication and/or a secure transport.
+            </t>
+            <t>
+                [[ There is a suggestion that this section be split
+                into "browser-like" and "automation-like"
+                subsections. See:
+                <list>
+                    <t>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0180.html</t>
+                    <t>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0183.html</t>
+                </list>
+                ]]
+            </t>
+            <t>
+                [[ NTLM (shudder)
+                was brought up in the WG a few times
+                in the discussion of the -00 draft. Should we add a
+                section on it? See..
+                <list>
+                    <t>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0132.html</t>
+                    <t>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0135.html</t>
+                </list>
+                ]]
+            </t>
+            <section title="Forms And Cookies">
+                <t>
+                    [[ JH: I am not convinced that this subsection
+                    properly belongs in this overall section in that
+                    "HTTP+HTML Form based authentication"
+                    &lt;http://en.wikipedia.org/wiki/HTTP%2BHTML_Form_based_authentication&gt;
+                    is not properly a part of HTTP itself. Rather, it is
+                    a piece of applications layered on top of HTTP. Use of cookies for
+                    state management (e.g. session maintanence) can be
+                    considered such, however (although there is no
+                    overall specification for HTTP user agents stipulating
+                    that they must implement cookies (nominally
+                    <xref target="RFC2109"/>)). Perhaps this section should be
+                    should be retitled "HTTP Authentication".
+                    </t>
+                <t>
+                    Note: The httpstate WG was recently chartered to develop a successor to
+                    <xref target="RFC2109"/>. See..
+                    <list>
+                        <t>http://www.ietf.org/dyn/wg/charter/httpstate-charter.html</t>
+                    </list>
+                </t>
+                <t>
+                    ]]
+                </t>
+                <t>
+                    Almost all HTTP authentication that involves a
+                    human using a web browser is accomplished through
+                    HTML forms, with session identifiers stored in
+                    cookies. For cookies, most implementations rely on
+                    the "Netscape specification", which is described
+                    loosely in section 10 of "HTTP State Management
+                    Mechanism" <xref target="RFC2109"/>. The protocol
+                    in RFC 2109 is relatively widely implemented, but
+                    most clients don't advertise support for it. RFC
+was later updated <xref target="RFC2965"/>,
+                    but the newer version is not widely implemented.
+                </t>
+                <t>
+                    Forms and cookies have many properties that make
+                    them an excellent solution for some
+                    implementers. However, many of those properties
+                    introduce serious security trade-offs.
+                </t>
+                <t>
+                    HTML forms provide a large degree of control over
+                    presentation, which is an imperative for many
+                    websites. However, this increases user reliance on
+                    the appearance of the interface. Many users do not
+                    understand the construction of URIs <xref
+                    target="RFC3986"/>, or their presentation in
+                    common clients <xref target="PhishingHOWTO"/>.  As
+                    a result, forms are extremely vulnerable to
+                    spoofing.
+                </t>
+                <t>
+                    HTML forms provide acceptable internationalization
+                    if used carefully, at the cost of being
+                    transmitted as normal HTTP content in all cases
+                    (credentials are not differentiated in the
+                    protocol).
+                </t>
+                <t>
+                    Many Web browsers have an auto-complete feature
+                    that stores a user's information and pre-populates
+                    fields in forms. This is considered to be a
+                    convenience mechanism, and convenience mechanisms
+                    often have negative security properties. The
+                    security concerns with auto-completion are
+                    particularly poignant for web browsers that reside
+                    on computers with multiple users. HTML forms
+                    provide a facility for sites to indicate that a
+                    field, such as a password, should never be
+                    pre-populated. However, it is clear that some form
+                    creators do not use this facility when they
+                    should.
+                </t>
+                <t>
+                    The cookies that result from a successful form
+                    submission make it unnecessary to validate
+                    credentials with each HTTP request; this makes
+                    cookies an excellent property for
+                    scalability. Cookies are susceptible to a large
+                    variety of XSS (cross-site scripting) attacks, and
+                    measures to prevent such attacks will never be as
+                    stringent as necessary for authentication
+                    credentials because cookies are used for many
+                    purposes.  Cookies are also susceptible to a wide
+                    variety of attacks from malicious intermediaries
+                    and observers. The possible attacks depend on the
+                    contents of the cookie data. There is no standard
+                    format for most of the data.
+                </t>
+                <t>
+                    HTML forms and cookies provide flexible ways of
+                    ending a session from the client.
+                </t>
+                <t>
+                    HTML forms require an HTML rendering engine for
+                    which many protocols have no use.
+                </t>
+            </section>
+            <section title="HTTP Access Authentication">
+                <t>
+                    HTTP 1.1 provides a simple authentication
+                    framework, "HTTP Authentication: Basic and Digest
+                    Access Authentication" <xref target="RFC2617"/>,
+                    which defines two optional mechanisms. Both of
+                    these mechanisms are extremely rarely used in
+                    comparison to forms and cookies, but some degree
+                    of support for one or both is available in many
+                    implementations. Neither scheme provides
+                    presentation control, logout capabilities, or
+                    interoperable internationalization.
+                </t>
+                <section title="Basic Authentication">
+                    <t>
+                        Basic Authentication (normally called just
+                        "Basic") transmits usernames and passwords in
+                        the clear. It is very easy to implement, but
+                        not at all secure unless used over a secure
+                        transport.
+                    </t>
+                    <t>
+                        Basic has very poor scalability properties
+                        because credentials must be revalidated with
+                        every request, and because secure transports
+                        negate many of HTTP's caching mechanisms. Some
+                        implementations use cookies in combination
+                        with Basic credentials, but there is no
+                        standard method of doing so.
+                    </t>
+                    <t>
+                        Since Basic credentials are clear text, they
+                        are reusable by any party. This makes them
+                        compatible with any authentication database,
+                        at the cost of making the user vulnerable to
+                        mismanaged or malicious servers, even over a
+                        secure channel.
+                    </t>
+                    <t>
+                        Basic is not interoperable when used with
+                        credentials that contain characters outside of
+                        the ISO 8859-1 repertoire.
+                    </t>
+                </section>
+                <section title="Digest Authentication">
+                    <t>
+                        In Digest Authentication, the client transmits
+                        the results of hashing user credentials with
+                        properties of the request and values from the
+                        server challenge. Digest is susceptible to
+                        man-in-the-middle attacks when not used over a
+                        secure transport.
+                    </t>
+                    <t>
+                        Digest has some properties that are preferable
+                        to Basic and Cookies. Credentials are not
+                        immediately reusable by parties that observe
+                        or receive them, and session data can be
+                        transmitted alongside credentials with each
+                        request, allowing servers to validate
+                        credentials only when absolutely
+                        necessary. Authentication data session keys
+                        are distinct from other protocol traffic.
+                    </t>
+                    <t>
+                        Digest includes many modes of operation, but
+                        only the simplest modes enjoy any degree of
+                        interoperability.  For example, most
+                        implementations do not implement the mode that
+                        provides full message integrity.  Perhaps one
+                        reason is that implementation experience has
+                        shown that in some cases, especially those
+                        involving large requests or responses such as
+                        streams, the message integrity mode is
+                        impractical because it requires servers to
+                        analyze the full request before determining
+                        whether the client knows the shared secret or
+                        whether message-body integrity has been
+                        violated and hence whether the request can be
+                        processed.
+                    </t>
+                    <t>
+                        Digest is extremely susceptible to offline
+                        dictionary attacks, making it practical for
+                        attackers to perform a namespace walk
+                        consisting of a few million passwords for most
+                        users.
+                    </t>
+                    <t>
+                        Many of the most widely-deployed HTTP/1.1
+                        clients are not compliant when GET requests
+                        include a query string <xref
+                        target="Apache_Digest"/>.
+                    </t>
+                    <t>
+                        Digest either requires that authentication
+                        databases be expressly designed to accommodate
+                        it, or requires access to cleartext passwords.
+                        As a result, many authentication databases
+                        that chose to do the former are incompatible,
+                        including the most common method of storing
+                        passwords for use with Forms and Cookies.
+                    </t>
+                    <t>
+                        Many Digest capabilities included to prevent
+                        replay attacks expose the server to Denial of
+                        Service attacks.
+                    </t>
+                    <t>
+                        Digest is not interoperable when used with
+                        credentials that contain characters outside of
+                        the ISO 8859-1 repertoire.
+                    </t>
+                </section>
+                <section title="Authentication Using Certificates in TLS">
+                    <t>
+                        Running HTTP over TLS provides authentication
+                        of the HTTP server to the client. HTTP over
+                        TLS can also provides authentication of the
+                        client to the server using
+                        certificates. Although forms are a much more
+                        common way to authenticate users to HTTP
+                        servers, TLS client certificates are widely
+                        used in some environments.  The public key
+                        infrastructure (PKI) used to validate
+                        certificates in TLS can be rooted in public
+                        trust anchors or can be based on local trust
+                        anchors.
+                    </t>
+                </section>
+                <section title="Other Access Authentication Schemes">
+                    <t>
+                        There are many niche schemes that make use of
+                        the HTTP Authentication framework, but very
+                        few are well documented. Some are bound to
+                        transport layer connections.
+                    </t>
+                    <section title="Negotiate (GSS-API) Authentication">
+                        <t>
+                            Microsoft has designed an HTTP
+                            authentication mechanism that utilizes
+                            SPNEGO <xref target="RFC4178"/> GSSAPI
+                            <xref target="RFC4559"/>. In Microsoft's
+                            implementation, SPNEGO allows selection
+                            between Kerberos and NTLM (Microsoft NT
+                            Lan Manager protocols).
+                        </t>
+                        <t>
+                            In Kerberos, clients and servers rely on a
+                            trusted third-party authentication service
+                            which maintains its own authentication
+                            database. Kerberos is typically used with
+                            shared secret key cryptography, but
+                            extensions for use of other authentication
+                            mechnanisms such as PKIX certificates and
+                            two-factor tokens are also common.
+                            Kerberos was designed to work under the
+                            assumption that packets traveling along
+                            the network can be read, modified, and
+                            inserted at will.
+                        </t>
+                        <t>
+                            Unlike Digest, Negotiate authentication
+                            can take multiple round trips (client
+                            sending authentication data in
+                            Authorization, server sending
+                            authentication data in WWW-Authenticate)
+                            to complete.
+                        </t>
+                        <t>
+                            Kerberos authentication is generally more
+                            secure than Digest. However the
+                            requirement for having a separate network
+                            authentication service might be a barrier
+                            to deployment.
+                        </t>
+                        <!--
+                        Kerberos didn't support Unicode till relatively recently. I am not sure if this
+                        is an issue with Microsoft's implementation.
+                        -->
+                    </section>
+                    <section title="OAuth">
+                        <t>
+                            [[ See..
+                            <list>
+                                <t>http://www.ietf.org/id/draft-hammer-http-token-auth-01.txt</t>
+                                <t>http://www.ietf.org/id/draft-hammer-oauth-10.txt</t>
+                            </list>
+                            ]]
+                        </t>
+                    </section>
+                </section>
+            </section>
+            <section title="Centrally-Issued Tickets">
+                <t>
+                    Many large Internet services rely on
+                    authentication schemes that center on clients
+                    consulting a single service for a time-limited
+                    ticket that is validated with undocumented
+                    heuristics. Centralized ticket issuing has the
+                    advantage that users may employ one set of
+                    credentials for many services, and clients don't
+                    send credentials to many servers. This approach is
+                    often no more than a sophisticated application of
+                    forms and cookies.
+                </t>
+                <t>
+                    All of the schemes in wide use are proprietary and
+                    non-standard, and usually are undocumented. There
+                    are many standardization efforts in progress, as
+                    usual.
+                </t>
+            </section>
+            <section title="Web Services">
+                <t>
+                    Many security properties mentioned in this
+                    document have been recast in XML-based protocols,
+                    using HTTP as a substitute for TCP. Like the
+                    amalgam of HTTP technologies mentioned above, the
+                    XML-based protocols are defined by an
+                    ever-changing combination of standard and
+                    vendor-produced specifications, some of which may
+                    be obsoleted at any time <xref
+                    target="WS-Pagecount"/> without any documented
+                    change control procedures. These protocols usually
+                    don't have much in common with the Architecture of
+                    the World Wide Web. It's not clear why the term
+                    "Web" is used to group them, but they are
+                    obviously out of scope for HTTP-based application
+                    protocols.
+                </t>
+                <t>
+                    [[ This section could really use a good definition
+                    of "Web Services" to differentiate it from
+                    REST. See..
+                    <list>
+                        <t>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0536.html</t>
+                    </list>
+                    ]]
+                </t>
+            </section>
+            <section title="Transport Layer Security">
+                <t>
+                    In addition to using TLS for client and/or server
+                    authentication, it is also very commonly used to
+                    protect the confidentiality and integrity of the
+                    HTTP session. For instance, both HTTP Basic
+                    authentication and Cookies are often protected
+                    against snooping by TLS.
+                </t>
+                <t>
+                    It should be noted that, in that case, TLS does
+                    not protect against a breach of the credential
+                    store at the server or against a keylogger or
+                    phishing interface at the client. TLS does not
+                    change the fact that Basic Authentication
+                    passwords are reusable and does not address that
+                    weakness.
+                </t>
+            </section>
+        </section>
+        <section title="Revisions To HTTP">
+            <t>
+                Is is possible that HTTP will be revised in the
+                future. "HTTP/1.1" <xref target="RFC2616"/> and "Use
+                and Interpretation of HTTP Version Numbers" <xref
+                target="RFC2145"/> define conformance requirements in
+                relation to version numbers. In HTTP 1.1, all
+                authentication mechanisms are optional, and no single
+                transport substrate is specified. Any HTTP revision
+                that adds a mandatory security mechanism or transport
+                substrate will have to increment the HTTP version
+                number appropriately. All widely used schemes are
+                non-standard and/or proprietary.
+            </t>
+        </section>
+        <section title="IANA Considerations">
+            <t>This document has no actions for IANA.</t>
+        </section>
+        <section title="Security Considerations">
+            <t>This entire document is about security considerations.</t>
+        </section>
+    </middle>
+    <back>
+        <references title="Normative References">
 &rfc2026;
-&rfc2109;
 &rfc2145;
 &rfc2616;
 …
 &rfc4559;
 <reference anchor='Apache_Digest'
   target='http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html'>
+<reference anchor="Apache_Digest"
+  target="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">
 <front>
   <title>Apache HTTP Server - mod_auth_digest</title>
 …
   <organization />
   </author>
 <date year='' month='' />
+<date year="" month="" />
 </front>
 </reference>
 <reference anchor='PhishingHOWTO'
   target='http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf'>
+<reference anchor="PhishingHOWTO"
+  target="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">
 <front>
   <title>Phishing Tips and Techniques</title>
   <author initials="P." surname="Gutmann" fullname="Peter Gutmann">
   <organization /></author>
   <date year='2008' month='February' />
+  <date year="2008" month="February" />
 </front>
 </reference>
 <reference anchor='WS-Pagecount'
   target='http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research'>
+<reference anchor="WS-Pagecount"
+  target="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">
 <front>
   <title>WS-Pagecount</title>
 …
   <organization />
   </author>
   <date year='2004' month='September' />
+  <date year="2004" month="September" />
 </front>
 </reference>
+</references>
+<section title='Acknowledgements'>
+<t>Much of the material in this document was written by Rob Sayre,
+who first promoted the topic. Many others on the HTTPbis Working
+Group have contributed to this document in the discussion.</t>
+</section>
+<section title='Document History'>
+<t>[This entire section is to be removed when published as an RFC.]</t>
+<section title='Changes between draft-sayre-http-security-variance-00 and
+  draft-ietf-httpbis-security-properties-00'>
+<t>Changed the authors to Paul Hoffman and Alexey Melnikov, with permission
+of Rob Sayre.</t>
+<t>Made lots of minor editorial changes.</t>
+<t>Removed what was section 2 (Requirements Notation), the reference
+to RFC 2119, and any use of 2119ish all-caps words.</t>
+<t>In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1
+repertoire" to match the definition of "TEXT" in RFC 2616.</t>
+<t>Added minor text to the Security Considerations section.</t>
+<t>Added URLs to the two non-RFC references.</t>
+</section>
+<section title='Changes between -00 and -01'>
+<t>Fixed some editorial nits reported by Iain Calder.</t>
+<t>Added the suggestions about splitting for browsers and
+automation, and about adding NTLM, to be beginning of 2.</t>
+<t>In 2.1, added "that involves a human
+using a web browser" in the first sentence.</t>
+<t>In 2.1, changed "session key" to "session identifier".</t>
+<t>In 2.2.2, changed
+        </references>
+        <references title="Informative References">
+&rfc2109;
+        </references>
+        <section title="Acknowledgements">
+            <t>
+                Much of the material in this document was written by
+                Rob Sayre, who first promoted the topic. Many others
+                on the HTTPbis Working Group have contributed to this
+                document in the discussion.
+            </t>
+        </section>
+        <section title="Document History">
+            <t>[This entire section is to be removed when published as an RFC.]</t>
+            <section title="Changes between draft-sayre-http-security-variance-00 and
+                draft-ietf-httpbis-security-properties-00">
+                <t>Changed the authors to Paul Hoffman and Alexey Melnikov, with permission
+                    of Rob Sayre.</t>
+                <t>Made lots of minor editorial changes.</t>
+                <t>Removed what was section 2 (Requirements Notation), the reference
+                    to RFC 2119, and any use of 2119ish all-caps words.</t>
+                <t>In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1
+                    repertoire" to match the definition of "TEXT" in RFC 2616.</t>
+                <t>Added minor text to the Security Considerations section.</t>
+                <t>Added URLs to the two non-RFC references.</t>
+            </section>
+            <section title="Changes between -00 and -01">
+                <t>Fixed some editorial nits reported by Iain Calder.</t>
+                <t>Added the suggestions about splitting for browsers and
+                    automation, and about adding NTLM, to be beginning of 2.</t>
+                <t>In 2.1, added "that involves a human
+                    using a web browser" in the first sentence.</t>
+                <t>In 2.1, changed "session key" to "session identifier".</t>
+                <t>In 2.2.2, changed
 <figure><artwork><![CDATA[
 Digest includes many modes of operation, but only the simplest modes
 …
 knows the shared secret.
 ]]></artwork></figure>
 to
+                    to
 <figure><artwork><![CDATA[
 Digest includes many modes of operation, but only the simplest
 …
 </t>
+<t>In 2.4, asked for a definition of "Web Services".</t>
+<t>In A, added the WG.</t>
+</section>
+<section title='Changes between -01 and -02'>
+<t>In section 2.1, added more to the paragraph on auto-completion of
+HTML forms.</t>
+<t>Added the section on TLS for authentication.</t>
+<t>Filled in section 2.5.</t>
+</section>
+</section>
+</back>
+                <t>In 2.4, asked for a definition of "Web Services".</t>
+                <t>In A, added the WG.</t>
+            </section>
+            <section title="Changes between -01 and -02">
+                <t>In section 2.1, added more to the paragraph on auto-completion of
+                    HTML forms.</t>
+                <t>Added the section on TLS for authentication.</t>
+                <t>Filled in section 2.5.</t>
+            </section>
+            <section title="Changes between -02 and -03">
+                <t>
+                    Changed IPR licensing from "full3978" to "pre5378Trust200902".
+                </t>
+            </section>
+            <section title="Changes between -03 and -04">
+                <t>
+                    Changed authors to be
+                    Jeff Hodges (JH) and Barry Leiba (BL)
+                     with permission of Paul
+                    Hoffman, Alexey Melnikov, and Mark Nottingham
+                    (httpbis chair).
+                </t>
+                <t>
+                    Added "OVERALL ISSUE" to introduction.
+                </t>
+                <t>
+                    Added links to email messages on mailing list(s) where
+                    various suggestions for this document were brought up. I.e.
+                    added various links to those comments herein
+                    delimited by "[[...]]" braces.
+                </t>
+                <t>
+                    Noted JH's belief that "HTTP+HTML Form based authentication"
+                    aka "Forms And Cookies" doesn't properly belong in
+                    the section where it presently resides. Added link to httpstate WG.
+                </t>
+                <t>
+                    Added references to OAuth. Section needs to be filled-in as yet.
+                </t>
+                <t>
+                    Moved ref to RFC2109 to new "Informative References" section, and
+                    added a placeholder "IANA Considerations" section in order
+                    to satisfy IDnits checking.
+                </t>
+            </section>
+        </section>
+    </back>
 </rfc>
+<!-- PLEASE DO NOT DELETE!!! The below is used by XEmacs XML major-mode -->
+<!--
+Local Variables:
+mode: xml
+indent-tabs-mode:nil
+sgml-omittag:t
+sgml-shorttag:t
+sgml-namecase-general:t
+sgml-general-insert-case:lower
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:4
+sgml-indent-data:t
+sgml-parent-document:nil
+sgml-exposed-tags:nil
+sgml-local-catalogs:nil
+sgml-local-ecat-files:nil
+End:
+-->
+<!-- PLEASE DO NOT DELETE!!! The above is used by XEmacs XML major-mode -->

Note: See TracChangeset for help on using the changeset viewer.