[Council] meeting minutes, 2006-03-09

Ian Paterson ian.paterson at clientside.co.uk
Fri Mar 10 03:57:42 CST 2006


Hi,

The proposed additional text for the Security Considerations section of
JEP-0124 is below. It has already been added to the CVS version.

I used "SHOULD" instead of "MUST" only because many implementations will
not have direct access to the HTTP (TLS) network layer.

Any comments you may have are welcome.

Cheers,

Ian


If the HTTP connection used to send the initial session request is
encrypted, then all the other connections used within the session SHOULD
also be encrypted. Furthermore, if authentication certificates are
exchanged when establishing the encrypted connection that is used to
send the initial session request, then the client and/or connection
manager SHOULD ensure that the same authentication certificates are
employed for all subsequent connections used by the session. Once such a
'secure session' has been established:

- If the connection manager refuses to establish an encrypted connection
or offers a different certificate, then the client SHOULD close the
connection and terminate the session without sending any more requests. 

- If the client sends a wrapper element that is part of a 'secure
session' over a connection that either is not encrypted or uses a
different certificate then the connection manager SHOULD simply close
the connection. The connection manager SHOULD NOT terminate the session
since that would facilitate denial of service attacks.



More information about the Council mailing list