From 8f3dee4be7a695bd1bb3dd979c194adb50984045 Mon Sep 17 00:00:00 2001 From: joe Date: Wed, 6 Aug 2008 09:53:38 +0000 Subject: * doc/security.xml: Update intro and auth sections. git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1528 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845 --- doc/security.xml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/security.xml b/doc/security.xml index 5caeda6..f014276 100644 --- a/doc/security.xml +++ b/doc/security.xml @@ -6,8 +6,9 @@ model: use of a malicious HTTP server. Under this threat model, a range of attacks are possible against a client when the user (or application) can be tricked into accessing an HTTP server which is - controlled by an attacker. This section documents the types of - possible attack and describes how they affect &neon;. + controlled by an attacker. This section documents various types of + possible attack and describes what mitigation is used in + &neon;. CPU or memory consumption attacks @@ -90,7 +91,9 @@ does not match the expected identity (or is otherwise not trusted), &neon; will fail the request by default. This behaviour can be overridden by the use of a callback installed using . + linkend="ne_ssl_set_verify"/>, which allows the application to + present the certificate details to a user for manual/off-line + verification, if possible. Test cases for the correctness of the implementation of the identity verification algorithm are present in the &neon; test @@ -121,11 +124,11 @@ allowing the application (and hence, user) to specify that only a specific set of authentication protocols is permitted. - &neon; supports the Digest, and Negotiate authentication - schemes, which both allow user authentication without passing - credentials over the wire. The "domain" parameter is supported in - Digest, allowing the server to restrict an authentication session - to a particular set of URIs. + &neon; supports the Digest and Negotiate authentication + schemes, which both allow authentication of users without passing + credentials in cleartext over the wire. The "domain" parameter is + supported in Digest, allowing the server to restrict an + authentication session to a particular set of URIs. -- cgit v1.2.1