There is a new draft at: http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02
One of the biggest holes in the Web Security scheme is the fact that cookies end up being used as bearer tokens and this is a very, very bad idea. It leads to all sorts of cookie stealing schemes which are very hard to deal with because while the HTTP stack is simple, the Web stack of HTTP + HTML + JavaScript + Random plugins is very complicated and many parts were originally designed by people who didn't know what the rest did. While we cannot move to eliminate cookies overnight, there are some companies with affiliate schemes that are loosing seven or eight figure sums each year in affiliate fraud. If even one of the major browsers supported a mechanism that prevented cookie stealing, they would see an instant return. The scheme described in the draft is NOT an authentication scheme, rather it describes one small part of the authentication scheme, the part that allows an authentication/authorization context established in one protocol exchange to be continued into further transactions. The mechanism by which the authentication context is established is outside the scope of the draft because that is an area where there can be a lot of useful variation. If an organization has a Kerberos server or SAML infrastructure already then it makes sense to use those. There is never going to be a single canonical means of managing user credentials or presenting/validating them. But when you look at how a good authentication mechanism continues on from the point the session has been established it pretty much boils down to some form of identifier to specify the session and some sort of shared secret used to create a result that authenticates the session. We can add in additional information such as nonces and time values and counters and the like to prevent replay attacks but these are generic mechanisms that can be used to the same effect whether we used Kerberos, OpenID, SAML or some newfangled scheme to set up the context. I am not quite sure where this would be best progressed. In the short term I was thinking of applying for a provisional HTTP header assignment so that I can start using it in the Web Service protocol I am writing (omnibroker). But right now the scheme could fit in WebSec or could fit in HTTPbis or even the proposed Web Authentication WG. Regardless of where the work ends up, I think it is clear that if we are going to specify any new HTTP authentication schemes we are going to end up addressing the issue of session continuation somewhere and that the eventual solution needs to be reviewed by the people in all three places (if they are distinct persons). -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
