UserPreferences

PaceFixSecurityConsiderations


Abstract

Regarding Draft -08...

Remove section 13. Replace section 14 with a more generic statement about APP being subject to the same security considerations as RFC2616 with a constraint that if Basic Auth is used, TLS SHOULD also be used.

Status

Proposed

Rationale

APP is an HTTP spec. HTTP already has defined authentication mechanisms. There is no need for APP to specify specific authentication mechanisms. CGI authentication is valuable, but best done as a separate spec deriving from RFC2617.

Proposal

Remove section 13. Replace section 14.

14. Security Considerations

Implementations of the Atom Publishing Protocol SHOULD be protected using 
HTTP Authentication mechanisms as defined by or derived from [RFC2617]. If 
implementations choose to implement support for HTTP Basic Authentication, 
they SHOULD support encryption of the session using TLS [RFC2246]. The 
security of the Atom Publishing Protocol is subject to the same security 
considerations as discussed in [RFC2616] and are entirely dependent on the 
strengths and weaknesses of the implementation and chosen authentication and 
transport security mechanisms.

Impacts

Notes


CategoryProposals