Alternative approach to PaceBasicAuthentication and PaceAuthentication.
http://www.intertwingly.net/wiki/pie/PaceFixSecurityConsiderations
#pragma section-numbers off
== Abstract ==
Remove section 13. Replace section 14 with a more generic statement
about APP being subject to the same security considerations as RFC2616
with a constraint that if Basic Auth is used, TLS SHOULD also be used.
== Status ==
Proposed
== Rationale ==
APP is an HTTP spec. HTTP already has defined authentication
mechanisms. There is no need for APP to specify specific authentication
mechanisms. CGI authentication is valuable, but best done as a separate
spec deriving from RFC2617.
== Proposal ==
Remove section 13. Replace section 14.
{{{
14. Security Considerations
Implementations of the Atom Publishing Protocol SHOULD be protected using
HTTP Authentication mechanisms as defined by or derived from [RFC2617]. If
implementations choose to implement support for HTTP Basic Authentication,
they SHOULD support encryption of the session using TLS [RFC2246]. The
security of the Atom Publishing Protocol is subject to the same security
considerations as discussed in [RFC2616] and are entirely dependent on the
strengths and weaknesses of the implementation and chosen authentication
and
transport security mechanisms.
}}}
== Impacts ==
== Notes ==
----
CategoryProposals
