Ignore:
Timestamp:
11/03/10 10:48:42 (11 years ago)
Author:
julian.reschke@…
Message:

update to what was submitted as draft 04

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis-security-properties/latest/draft-ietf-httpbis-security-properties.txt

    r551 r787  
    22
    33
    4 Network Working Group                                         P. Hoffman
    5 Internet-Draft                                            VPN Consortium
    6 Intended status: Informational                               A. Melnikov
    7 Expires: September 10, 2009                                   Isode Ltd.
    8                                                            March 9, 2009
     4Network Working Group                                          J. Hodges
     5Internet-Draft                                                    PayPal
     6Intended status: Informational                                  B. Leiba
     7Expires: September 2, 2009                           Huawei Technologies
     8                                                              March 2009
    99
    1010
     
    4343   http://www.ietf.org/shadow.html.
    4444
    45    This Internet-Draft will expire on September 10, 2009.
     45   This Internet-Draft will expire on September 2, 2009.
    4646
    4747Copyright Notice
     
    5353
    5454
    55 Hoffman & Melnikov     Expires September 10, 2009               [Page 1]
     55Hodges & Leiba          Expires September 2, 2009               [Page 1]
    5656
    5757
     
    6868
    6969   Recent IESG practice dictates that IETF protocols must specify
    70    mandatory-to-implement security mechanisms, so that all conformant
    71    implementations share a common baseline.  This document examines all
    72    widely deployed HTTP security technologies, and analyzes the trade-
    73    offs of each.
     70   mandatory-to-implement (MTI) security mechanisms, so that all
     71   conformant implementations share a common baseline.  This document
     72   examines all widely deployed HTTP security technologies, and analyzes
     73   the trade-offs of each.
    7474
    7575
     
    7878   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
    7979   2.  Existing HTTP Security Mechanisms  . . . . . . . . . . . . . .  3
    80      2.1.  Forms And Cookies  . . . . . . . . . . . . . . . . . . . .  3
     80     2.1.  Forms And Cookies  . . . . . . . . . . . . . . . . . . . .  4
    8181     2.2.  HTTP Access Authentication . . . . . . . . . . . . . . . .  5
    82        2.2.1.  Basic Authentication . . . . . . . . . . . . . . . . .  5
    83        2.2.2.  Digest Authentication  . . . . . . . . . . . . . . . .  5
    84        2.2.3.  Authentication Using Certificates in TLS . . . . . . .  6
    85        2.2.4.  Other Access Authentication Schemes  . . . . . . . . .  6
    86      2.3.  Centrally-Issued Tickets . . . . . . . . . . . . . . . . .  7
    87      2.4.  Web Services . . . . . . . . . . . . . . . . . . . . . . .  7
    88      2.5.  Transport Layer Security . . . . . . . . . . . . . . . . .  8
    89    3.  Revisions To HTTP  . . . . . . . . . . . . . . . . . . . . . .  8
    90    4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
    91    5.  Normative References . . . . . . . . . . . . . . . . . . . . .  8
    92    Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . .  9
    93    Appendix B.  Document History  . . . . . . . . . . . . . . . . . . 10
     82       2.2.1.  Basic Authentication . . . . . . . . . . . . . . . . .  6
     83       2.2.2.  Digest Authentication  . . . . . . . . . . . . . . . .  6
     84       2.2.3.  Authentication Using Certificates in TLS . . . . . . .  7
     85       2.2.4.  Other Access Authentication Schemes  . . . . . . . . .  7
     86     2.3.  Centrally-Issued Tickets . . . . . . . . . . . . . . . . .  8
     87     2.4.  Web Services . . . . . . . . . . . . . . . . . . . . . . .  8
     88     2.5.  Transport Layer Security . . . . . . . . . . . . . . . . .  9
     89   3.  Revisions To HTTP  . . . . . . . . . . . . . . . . . . . . . .  9
     90   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
     91   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
     92   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     93     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     94     6.2.  Informative References . . . . . . . . . . . . . . . . . . 11
     95   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . . 11
     96   Appendix B.  Document History  . . . . . . . . . . . . . . . . . . 11
    9497     B.1.  Changes between draft-sayre-http-security-variance-00
    95            and   draft-ietf-httpbis-security-properties-00  . . . . . 10
    96      B.2.  Changes between -00 and -01  . . . . . . . . . . . . . . . 10
    97      B.3.  Changes between -01 and -02  . . . . . . . . . . . . . . . 11
    98    Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
    99 
    100 
    101 
    102 
    103 
    104 
    105 
    106 
    107 
    108 
    109 
    110 
    111 
    112 Hoffman & Melnikov     Expires September 10, 2009               [Page 2]
     98           and
     99           draft-ietf-httpbis-security-properties-00  . . . . . . . . 11
     100     B.2.  Changes between -00 and -01  . . . . . . . . . . . . . . . 11
     101     B.3.  Changes between -01 and -02  . . . . . . . . . . . . . . . 12
     102     B.4.  Changes between -02 and -03  . . . . . . . . . . . . . . . 12
     103     B.5.  Changes between -03 and -04  . . . . . . . . . . . . . . . 13
     104   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
     105
     106
     107
     108
     109
     110
     111
     112Hodges & Leiba          Expires September 2, 2009               [Page 2]
    113113
    114114
     
    1181181.  Introduction
    119119
    120    Recent IESG practice dictates that IETF protocols are required to
    121    specify mandatory to implement security mechanisms.  "The IETF
     120   Recent IESG practice dictates that IETF protocols be required to
     121   specify mandatory-to-implement (MTI) security mechanisms.  "The IETF
    122122   Standards Process" [RFC2026] does not require that protocols specify
    123123   mandatory security mechanisms.  "Strong Security Requirements for
     
    146146   laundry list of security technologies and tradeoffs.
    147147
     148   [[ OVERALL ISSUE: It isn't entirely clear to the present editors what
     149   the purpose of this document is.  On one hand it could be a
     150   compendium of peer-entity authentication mechanisms (as it is
     151   presently) and make MTI recommendations thereof, or it could be a
     152   place for various security considerations (either coalesced here from
     153   the other httpbis specs, or reserved for the more gnarly cross-spec
     154   composite ones), or both.  This needs to be clarified. ]]
     155
    148156
    1491572.  Existing HTTP Security Mechanisms
     
    153161
    154162   [[ There is a suggestion that this section be split into "browser-
    155    like" and "automation-like" subsections. ]]
     163   like" and "automation-like" subsections.  See:
     164
     165
     166
     167
     168
     169Hodges & Leiba          Expires September 2, 2009               [Page 3]
     170
     171
     172Internet-Draft       Security Requirements for HTTP           March 2009
     173
     174
     175      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
     176      0180.html
     177
     178      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
     179      0183.html
     180
     181   ]]
    156182
    157183   [[ NTLM (shudder) was brought up in the WG a few times in the
    158    discussion of the -00 draft.  Should we add a section on it? ]]
     184   discussion of the -00 draft.  Should we add a section on it?  See..
     185
     186      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
     187      0132.html
     188
     189      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
     190      0135.html
     191
     192   ]]
    159193
    1601942.1.  Forms And Cookies
     195
     196   [[ JH: I am not convinced that this subsection properly belongs in
     197   this overall section in that "HTTP+HTML Form based authentication"
     198   <http://en.wikipedia.org/wiki/HTTP%2BHTML_Form_based_authentication>
     199   is not properly a part of HTTP itself.  Rather, it is a piece of
     200   applications layered on top of HTTP.  Use of cookies for state
     201   management (e.g. session maintanence) can be considered such, however
     202   (although there is no overall specification for HTTP user agents
     203   stipulating that they must implement cookies (nominally [RFC2109])).
     204   Perhaps this section should be should be retitled "HTTP
     205   Authentication".
     206
     207   Note: The httpstate WG was recently chartered to develop a successor
     208   to [RFC2109].  See..
     209
     210      http://www.ietf.org/dyn/wg/charter/httpstate-charter.html
     211
     212   ]]
    161213
    162214   Almost all HTTP authentication that involves a human using a web
     
    164216   stored in cookies.  For cookies, most implementations rely on the
    165217   "Netscape specification", which is described loosely in section 10 of
    166 
    167 
    168 
    169 Hoffman & Melnikov     Expires September 10, 2009               [Page 3]
    170 
    171 
    172 Internet-Draft       Security Requirements for HTTP           March 2009
    173 
    174 
    175218   "HTTP State Management Mechanism" [RFC2109].  The protocol in RFC
    176219   2109 is relatively widely implemented, but most clients don't
    177220   advertise support for it.  RFC 2109 was later updated [RFC2965], but
    178221   the newer version is not widely implemented.
     222
     223
     224
     225
     226Hodges & Leiba          Expires September 2, 2009               [Page 4]
     227
     228
     229Internet-Draft       Security Requirements for HTTP           March 2009
     230
    179231
    180232   Forms and cookies have many properties that make them an excellent
     
    220272   have no use.
    221273
    222 
    223 
    224 
    225 
    226 Hoffman & Melnikov     Expires September 10, 2009               [Page 4]
    227 
    228 
    229 Internet-Draft       Security Requirements for HTTP           March 2009
    230 
    231 
    2322742.2.  HTTP Access Authentication
    233275
     
    236278   which defines two optional mechanisms.  Both of these mechanisms are
    237279   extremely rarely used in comparison to forms and cookies, but some
     280
     281
     282
     283Hodges & Leiba          Expires September 2, 2009               [Page 5]
     284
     285
     286Internet-Draft       Security Requirements for HTTP           March 2009
     287
     288
    238289   degree of support for one or both is available in many
    239290   implementations.  Neither scheme provides presentation control,
     
    269320   Digest has some properties that are preferable to Basic and Cookies.
    270321   Credentials are not immediately reusable by parties that observe or
    271    receive them, and session data can be transmitted along side
     322   receive them, and session data can be transmitted alongside
    272323   credentials with each request, allowing servers to validate
    273324   credentials only when absolutely necessary.  Authentication data
     
    278329   implementations do not implement the mode that provides full message
    279330   integrity.  Perhaps one reason is that implementation experience has
    280 
    281 
    282 
    283 Hoffman & Melnikov     Expires September 10, 2009               [Page 5]
    284 
    285 
    286 Internet-Draft       Security Requirements for HTTP           March 2009
    287 
    288 
    289331   shown that in some cases, especially those involving large requests
    290332   or responses such as streams, the message integrity mode is
     
    293335   whether message-body integrity has been violated and hence whether
    294336   the request can be processed.
     337
     338
     339
     340Hodges & Leiba          Expires September 2, 2009               [Page 6]
     341
     342
     343Internet-Draft       Security Requirements for HTTP           March 2009
     344
    295345
    296346   Digest is extremely susceptible to offline dictionary attacks, making
     
    335385   SPNEGO [RFC4178] GSSAPI [RFC4559].  In Microsoft's implementation,
    336386   SPNEGO allows selection between Kerberos and NTLM (Microsoft NT Lan
    337 
    338 
    339 
    340 Hoffman & Melnikov     Expires September 10, 2009               [Page 6]
    341 
    342 
    343 Internet-Draft       Security Requirements for HTTP           March 2009
    344 
    345 
    346387   Manager protocols).
    347388
     
    351392   cryptography, but extensions for use of other authentication
    352393   mechnanisms such as PKIX certificates and two-factor tokens are also
     394
     395
     396
     397Hodges & Leiba          Expires September 2, 2009               [Page 7]
     398
     399
     400Internet-Draft       Security Requirements for HTTP           March 2009
     401
     402
    353403   common.  Kerberos was designed to work under the assumption that
    354404   packets traveling along the network can be read, modified, and
     
    362412   However the requirement for having a separate network authentication
    363413   service might be a barrier to deployment.
     414
     4152.2.4.2.  OAuth
     416
     417   [[ See..
     418
     419      http://www.ietf.org/id/draft-hammer-http-token-auth-01.txt
     420
     421      http://www.ietf.org/id/draft-hammer-oauth-10.txt
     422
     423   ]]
    364424
    3654252.3.  Centrally-Issued Tickets
     
    390450   based application protocols.
    391451
     452
     453
     454Hodges & Leiba          Expires September 2, 2009               [Page 8]
     455
     456
     457Internet-Draft       Security Requirements for HTTP           March 2009
     458
     459
    392460   [[ This section could really use a good definition of "Web Services"
    393    to differentiate it from REST. ]]
    394 
    395 
    396 
    397 Hoffman & Melnikov     Expires September 10, 2009               [Page 7]
    398 
    399 
    400 Internet-Draft       Security Requirements for HTTP           March 2009
    401 
     461   to differentiate it from REST.  See..
     462
     463      http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/
     464      0536.html
     465
     466   ]]
    402467
    4034682.5.  Transport Layer Security
     
    428493
    429494
    430 4.  Security Considerations
     4954.  IANA Considerations
     496
     497   This document has no actions for IANA.
     498
     499
     5005.  Security Considerations
    431501
    432502   This entire document is about security considerations.
    433503
    434504
    435 5.  Normative References
     5056.  References
     506
     507
     508
     509
     510
     511Hodges & Leiba          Expires September 2, 2009               [Page 9]
     512
     513
     514Internet-Draft       Security Requirements for HTTP           March 2009
     515
     516
     5176.1.  Normative References
    436518
    437519   [Apache_Digest]
     
    448530              3", BCP 9, RFC 2026, October 1996.
    449531
    450    [RFC2109]  Kristol, D. and L. Montulli, "HTTP State Management
    451 
    452 
    453 
    454 Hoffman & Melnikov     Expires September 10, 2009               [Page 8]
    455 
    456 
    457 Internet-Draft       Security Requirements for HTTP           March 2009
    458 
    459 
    460               Mechanism", RFC 2109, February 1997.
    461 
    462532   [RFC2145]  Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use
    463533              and Interpretation of HTTP Version Numbers", RFC 2145,
     
    493563
    494564   [RFC4559]  Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
     565
     566
     567
     568Hodges & Leiba          Expires September 2, 2009              [Page 10]
     569
     570
     571Internet-Draft       Security Requirements for HTTP           March 2009
     572
     573
    495574              Kerberos and NTLM HTTP Authentication in Microsoft
    496575              Windows", RFC 4559, June 2006.
     
    500579              www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research>.
    501580
     5816.2.  Informative References
     582
     583   [RFC2109]  Kristol, D. and L. Montulli, "HTTP State Management
     584              Mechanism", RFC 2109, February 1997.
     585
    502586
    503587Appendix A.  Acknowledgements
     
    508592
    509593
    510 
    511 Hoffman & Melnikov     Expires September 10, 2009               [Page 9]
    512 
    513 
    514 Internet-Draft       Security Requirements for HTTP           March 2009
    515 
    516 
    517594Appendix B.  Document History
    518595
     
    543620   Added the suggestions about splitting for browsers and automation,
    544621   and about adding NTLM, to be beginning of 2.
     622
     623
     624
     625Hodges & Leiba          Expires September 2, 2009              [Page 11]
     626
     627
     628Internet-Draft       Security Requirements for HTTP           March 2009
     629
    545630
    546631   In 2.1, added "that involves a human using a web browser" in the
     
    561646
    562647   to
    563 
    564 
    565 
    566 
    567 
    568 Hoffman & Melnikov     Expires September 10, 2009              [Page 10]
    569 
    570 
    571 Internet-Draft       Security Requirements for HTTP           March 2009
    572648
    573649
     
    596672   Filled in section 2.5.
    597673
     674B.4.  Changes between -02 and -03
     675
     676   Changed IPR licensing from "full3978" to "pre5378Trust200902".
     677
     678
     679
     680
     681
     682Hodges & Leiba          Expires September 2, 2009              [Page 12]
     683
     684
     685Internet-Draft       Security Requirements for HTTP           March 2009
     686
     687
     688B.5.  Changes between -03 and -04
     689
     690   Changed authors to be Jeff Hodges (JH) and Barry Leiba (BL) with
     691   permission of Paul Hoffman, Alexey Melnikov, and Mark Nottingham
     692   (httpbis chair).
     693
     694   Added "OVERALL ISSUE" to introduction.
     695
     696   Added links to email messages on mailing list(s) where various
     697   suggestions for this document were brought up.  I.e. added various
     698   links to those comments herein delimited by "[[...]]" braces.
     699
     700   Noted JH's belief that "HTTP+HTML Form based authentication" aka
     701   "Forms And Cookies" doesn't properly belong in the section where it
     702   presently resides.  Added link to httpstate WG.
     703
     704   Added references to OAuth.  Section needs to be filled-in as yet.
     705
     706   Moved ref to RFC2109 to new "Informative References" section, and
     707   added a placeholder "IANA Considerations" section in order to satisfy
     708   IDnits checking.
     709
    598710
    599711Authors' Addresses
    600712
    601    Paul Hoffman
    602    VPN Consortium
    603 
    604    Email: paul.hoffman@vpnc.org
    605 
    606 
    607    Alexey Melnikov
    608    Isode Ltd.
    609 
    610    Email: alexey.melnikov@isode.com
    611 
    612 
    613 
    614 
    615 
    616 
    617 
    618 
    619 
    620 
    621 
    622 
    623 
    624 
    625 Hoffman & Melnikov     Expires September 10, 2009              [Page 11]
    626 
    627 
     713   Jeff Hodges
     714   PayPal
     715
     716   Email: Jeff.Hodges@PayPal.com
     717
     718
     719   Barry Leiba
     720   Huawei Technologies
     721
     722   Phone: +1 646 827 0648
     723   Email: barryleiba@computer.org
     724   URI:   http://internetmessagingtechnology.org/
     725
     726
     727
     728
     729
     730
     731
     732
     733
     734
     735
     736
     737
     738
     739Hodges & Leiba          Expires September 2, 2009              [Page 13]
     740
     741
Note: See TracChangeset for help on using the changeset viewer.