On 2012-02-22 18:01, RJ Atkinson wrote:
Earlier, Barry Leiba wrote, in part:
What we're looking at here is the need for an HTTP authentication
system that (for example) doesn't send reusable credentials,
is less susceptible to spoofing attacks, and so on.
More generally, I support the concerns raised by Stephen Farrell,
Wes Hardaker, and others that if *any* work is to be done on HTTP,
then improving the authentication/confidentiality properties
ought to be a mandatory part of that work.
I'm still waiting for somebody to explain why this can't already be
defined as HTTP/1.1 authentication mechanism.
The IETF has LOTS of experience that if strong(er) security
mechanisms are not *required* in a WG Charter *very explicitly*,
then that work will not happen at all.
Whether work happens nor not IMHO depends on getting the right people.
Security that works well and is practical to implement
needs to be designed-in, not bolted-on later.
I would say: security needs to be orthogonal.
Separately, I would also like to see the known-weak cryptographic
algorithms/modes (i.e. published literature indicates that
an algorithm, a mode, or both is weak) that are included with HTTP
(as separate from being part of TLS) formally get deprecated as part
of any HTTPbis work. For example, the WG ought to consider
deprecating the use of the MD5, UNIXsum, and UNIXcksum algorithms
within HTTP Digests [RFC-2617] [RFC-3230].
So far HTTPbis was not chartered to revise any existing auth scheme
(just the framework).
Best regards, Julian
Ietf mailing list