[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Considerations

To: Sam Hartman <hartmans-ietf@xxxxxxx>
Subject: Re: Security Considerations
From: James M Snell <jasnell@xxxxxxxxx>
Date: Thu, 03 Aug 2006 11:13:42 -0700
Cc: Robert Sayre <sayrer@xxxxxxxxx>, Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>, Brian E Carpenter <brc@xxxxxxxxxxxxxx>, "Roy T. Fielding" <fielding@xxxxxxxx>, Lisa Dusseault <lisa@xxxxxxxxxxxxxxxxx>, atom-protocol Protocol <atom-protocol@xxxxxxx>, IESG IESG <iesg@xxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=RTCQr+xmp9HRM9YEoGJX67Gh/gqJ1MCFP0IaInEQj3UOgJUfVdGRDsWz6TfvTBxrgLfrk2rI7Sg/n2QtiNMQPUYo8G4iVea9uJmeN2HIcKj9Q6aj6U2Xm3frNIhbBlBjaTo/kft0hGAwLWH7F4dTz2kOyr+6InYHKSu6XfEod4A=
In-reply-to: <tslac6liusd.fsf@xxxxxxxxxx>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <44D21C44.1020701@xxxxxxxxx> <20060803160531.DDC32222426@xxxxxxxxxxxxxxxxxxxxxxxxxx> <68fba5c50608030928k7345551cx9d44e17c2b574fc1@xxxxxxxxxxxxxx> <tslac6liusd.fsf@xxxxxxxxxx>
Sender: owner-atom-protocol@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.5 (X11/20060719)

Ok, tho I think quite a few of us would argue that this decision will
likely not have any impact on the interoperability of the protocol, it
should allow us to start moving forward again...

Does this text meet the requirement:

  The use of client authentication mechanisms to prevent posting or
  editing by unknown or unauthorized clients is RECOMMENDED but not
  required.  When authentication is not used, clients and servers are
  vulnerable to trivial spoofing, denial of service and defacement
  attacks, however, in some contexts, this is an acceptable risk.

  The type of authentication used is a local decision made by the server
  operator. Accordingly, clients are likely to face authentication
  schemes that vary across server deployments.  At a minumum, clients
  and servers MUST be capable of using HTTP Basic Authentication
  [RFC2617] in conjunction with a TLS connection [RFC4346] as specified
  by [RFC2818].

- James

Sam Hartman wrote:
> 
> Hi folks.
> 
> This has been a long discussion and has helped us all understand our
> various points of view, but I think we are no longer making forward
> progress.
> 
> The IESG discussed this issue during the working group news section of
> today's telechat.
> 
> The conclusion of those on the call is that in order to meet IETF
> interoperability requirements APP must normatively require a mandatory
> to implement security mechanism for HTTP authentication.
> 
> Thanks again for helping us all understand this complex issue.
> 
> There are a lot of related items that came out of this discussion.  I
> don't think it would be appropriate to block APP.  However if the
> right group of people want to get together and write a security
> current practices document for HTTP, that might be useful to future
> protocols in the same position as APP.  That effort would need to be
> coordinated with several related HTTP efforts that are underway or
> being considered.
> 
> Sam Hartman
> Security Area Director
> 
>

Follow-Ups:
- Re: Security Considerations
  - From: Sam Hartman
- Re: Security Considerations
  - From: Tim Bray

References:
- Re: Security Considerations
  - From: James M Snell
- Re: Security Considerations
  - From: Eric Rescorla
- Re: Security Considerations
  - From: Robert Sayre
- Re: Security Considerations
  - From: Sam Hartman

Prev by Date: Re: Security Considerations
Next by Date: Re: Security Considerations
Previous by thread: Re: Security Considerations
Next by thread: Re: Security Considerations
Index(es):
- Date
- Thread