* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #348: 348.diff

File 348.diff, 1.9 KB (added by julian.reschke@gmx.de, 3 years ago)

Proposed patch

  • p7-auth.xml

     
    341341<section title="Protection Space (Realm)" anchor="protection.space"> 
    342342  <iref item="Protection Space"/> 
    343343  <iref item="Realm"/> 
     344  <iref item="Canonical Root URI"/> 
    344345<t> 
    345346   The authentication parameter realm is reserved for use by authentication 
    346347   schemes that wish to indicate the scope of protection. 
     
    803804   cached credentials under user control. 
    804805</t> 
    805806</section> 
     807 
     808<section title="Protection Spaces" anchor="protection.spaces"> 
     809<t> 
     810  Authentication schemes that solely rely on the "realm" mechanism for 
     811  establishing a protection space will expose credentials to all resources on a 
     812  server. Clients that have successfully made authenticated requests with a 
     813  resource can use the same authentication credentials for other resources on 
     814  the same server. This makes it possible for a different resource to harvest 
     815  authentication credentials for other resources. 
     816</t> 
     817<t> 
     818  This is of particular concern when a server hosts resources for multiple 
     819  parties under the same canonical root URI (<xref target="protection.spaces"/>). 
     820  Possible mitigation strategies include restricting direct access to 
     821  authentication credentials (i.e., not making the content of the 
     822  Authorization request header field available), and separating protection 
     823  spaces by using a different host name for each party. 
     824</t> 
    806825</section> 
     826</section> 
    807827 
    808828<section title="Acknowledgments" anchor="acks"> 
    809829<t> 
     
    11271147  Closed issues: 
    11281148  <list style="symbols"> 
    11291149    <t> 
     1150      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/348"/>: 
     1151      "Realms and scope" 
     1152    </t> 
     1153    <t> 
    11301154      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>: 
    11311155      "Strength" 
    11321156    </t>