Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

To: Eliot Lear <lear at cisco.com>
Subject: Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
From: Eric Rescorla <ekr at networkresonance.com>
Date: Tue, 27 Jun 2006 09:59:56 -0700
Cc: Digital Identity Exchange <dix at ietf.org>, ietf-http-auth at lists.osafoundation.org
In-reply-to: <44A162F5.3000705@cisco.com> (Eliot Lear's message of "Tue, 27 Jun 2006 18:55:17 +0200")
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <20060619220742.40B85222427@laser.networkresonance.com> <2EFA8C54-9BF9-41CA-ABD0-D6286601A5B1@sxip.com> <868xnnfarh.fsf@raman.networkresonance.com> <528CC6D5-3549-438F-88AE-61D610B9D92F@sxip.com> <86d5cvafly.fsf@raman.networkresonance.com> <44A162F5.3000705@cisco.com>
Reply-to: EKR <ekr at networkresonance.com>, Digital Identity Exchange <dix at ietf.org>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

Eliot Lear <lear at cisco.com> writes:
> In order for this replay to be effective the attacker would have had to
> compromised the privacy of the exchange or one end of the
> communication.

Yeah, like if it weren't done over TLS.


> A cookie approach is reasonable where this risk is
> reasonable, and can be further mitigated through brief durations or one
> time use depending on need.  Do we need more?

Well, I think the question is whether such settings are the only
ones we're interested in.

-Ekr



_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- [dix] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Dick Hardt
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Dick Hardt
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eliot Lear

Prev by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by Date: Re: [Ietf-http-auth] Re: [dix] BOF plans (Was: Notes on Web authentication enhancements)
Previous by thread: Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Index(es):
- Date
- Thread

Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.