[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

To: Eric Rescorla <ekr at networkresonance.com>
Subject: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
From: Joe Orton <jorton at redhat.com>
Date: Tue, 27 Jun 2006 09:01:42 +0100
Cc: dix at ietf.org, ietf-http-auth at lists.osafoundation.org
In-reply-to: <86u067agij.fsf@raman.networkresonance.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Eric Rescorla <ekr at networkresonance.com>, Mark Nottingham <mnot at yahoo-inc.com>, dix at ietf.org, ietf-http-auth at lists.osafoundation.org
References: <20060619220742.40B85222427@laser.networkresonance.com> <10123324-6DF8-4DF9-B9FC-0E3BE0FF363D@yahoo-inc.com> <86lkrnfqv3.fsf@raman.networkresonance.com> <7AAA4939-903E-4A48-BDB3-A06CC476F299@yahoo-inc.com> <86u067agij.fsf@raman.networkresonance.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>
User-agent: Mutt/1.4.2.1i

On Mon, Jun 26, 2006 at 12:00:52PM -0700, Eric Rescorla wrote:
> Mark Nottingham <mnot at yahoo-inc.com> writes:
> 
> > On 2006/06/23, at 3:29 PM, Eric Rescorla wrote:
> >> Part of the problem is that the user and the software have
> >> a different view of the RP's identity. The software knows that
> >> C1tibank and Citibank are different, but the user does not.
> >
> > Fair enough.
> >
> > Would it be correct to say that HTTP Digest Auth has this property
> > alreadly (because A2 includes the digest-uri-value)? There are other
> > attacks that can be made against Digest, of course (e.g., dictionary
> > against weak passwords), but it's interesting to think of it as
> > having anti-phishing properties.
> 
> I'm not 100% sure. IIRC, the digest-uri-value is only the
> path portion, i.e., 
> 
>      /example/example.html

digest-uri-value just matches the Request-URI, so it depends on whether 
the client is using a proxy or not - HTTP/1.1 clients will typically use 
an absoluteURI in the Request-URI iff configured to use a proxy (and not 
tunnelling using CONNECT); otherwise they use the abs_path.

joe

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- [dix] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Mark Nottingham
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Mark Nottingham
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eric Rescorla

Prev by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by Date: Re: [dix] BOF plans (Was: Notes on Web authentication enhancements)
Previous by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Index(es):
- Date
- Thread

[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.