Security considerations from RE-AUTHENTICATION-REQUESTED

Jim Gettys (jg@pa.dec.com)
Thu, 12 Feb 1998 13:44:01 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Whitehead: "CFP: HTTP-NG Workshop at WWW7"
Previous message: Jeffrey Mogul: "Re: SEC-CACHING editorial issue..."
Next in thread: Koen Holtman: "Re: Security considerations from RE-AUTHENTICATION-REQUESTED"
Reply: Koen Holtman: "Re: Security considerations from RE-AUTHENTICATION-REQUESTED"

I've pulled Paul's proposal from Rev-02 for RE-AUTHENTICATION-REQUESTED
per the discussion in Washington and the mailing list.  The lack
of this facility does need discussion in the Security Considerations
section, however.  So I had an editorial task to generate such a section.

Here's my crack at drafting such a section.  Comments welcome (for a short
while, anyway...).
				- Jim

15.6 15.6 Authentication Credentials and Idle Clients

Existing HTTP clients typically retain authentication information 
indefinately. HTTP/1.1 lacks a facility to force reauthentication of clients, 
which may have been idle for extended periods, by an origin server or 
a proxy. This is considered a significant defect that requires further 
additions to HTTP, and is under separate study. There are a number of 
work-arounds to parts of this problem, and we encourage the use of password 
protected screen savers on idle clients to mitigate some of the resulting 
security problems.

Next message: Jim Whitehead: "CFP: HTTP-NG Workshop at WWW7"
Previous message: Jeffrey Mogul: "Re: SEC-CACHING editorial issue..."
Next in thread: Koen Holtman: "Re: Security considerations from RE-AUTHENTICATION-REQUESTED"
Reply: Koen Holtman: "Re: Security considerations from RE-AUTHENTICATION-REQUESTED"