[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PaceSecurityServices

To: Sam Ruby <rubys@xxxxxxxxxxxxxxxx>
Subject: PaceSecurityServices
From: Joe Gregorio <joe.gregorio@xxxxxxxxx>
Date: Wed, 7 Jul 2004 21:26:00 -0400
Cc: atom-syntax <atom-syntax@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-atom-syntax@xxxxxxxxxxxx

There is too much in this one Pace to just +1 or -1
the whole thing.

In the section on the AtomAPI:
---------------------------------------------

+1 on Digest and TLS

I support referencing and strongly encouraging
the use of standard authentication and 
encryption mechanisms.

-1 to WSSE

On the other hand I do not like the WSSE
mechanism ( wide open to man in the middle
attacks and requires both the client and the
server to store plaintext passwords ). 
If we must create a new authentication mechanism 
I would prefer to use an updated version of [1] that supports
multiple kinds of hashes and mandates 'auth-int'. 
This will provide better security to implementors, 
easier implementations for systems that already store
hashed values of passwords, and provides protection
against man in the middle attacks.

If we must create a new authentication mechanism
than I would also like it to be a seperate RFC from the
the AtomAPI, just as HTTP is broken into 
RFC 2616 and 2617.

[1] http://bitworking.org/news/New_AtomAPI_Implementation_Release2

Follow-Ups:
- Re: PaceSecurityServices
  - From: Robert Sayre

References:
- New AtomPubIssuesList for 2004/06/29
  - From: Sam Ruby
- New AtomPubIssuesList for 2004/07/07
  - From: Sam Ruby

Prev by Date: Thought experiment: Using a synthetic feed to find out about other feeds
Next by Date: Re: PaceUriOrItsSuccessor
Previous by thread: PaceSecurityServices
Next by thread: Re: PaceSecurityServices
Index(es):
- Date
- Thread