From 8f3dee4be7a695bd1bb3dd979c194adb50984045 Mon Sep 17 00:00:00 2001
From: joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845>
Date: Wed, 6 Aug 2008 09:53:38 +0000
Subject: * doc/security.xml: Update intro and auth sections.

git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1528 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
---
 doc/security.xml | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'doc')

diff --git a/doc/security.xml b/doc/security.xml
index 5caeda6..f014276 100644
--- a/doc/security.xml
+++ b/doc/security.xml
@@ -6,8 +6,9 @@
   model: use of a malicious HTTP server.  Under this threat model, a
   range of attacks are possible against a client when the user (or
   application) can be tricked into accessing an HTTP server which is
-  controlled by an attacker.  This section documents the types of
-  possible attack and describes how they affect &neon;.</para>
+  controlled by an attacker.  This section documents various types of
+  possible attack and describes what mitigation is used in
+  &neon;.</para>
 
   <sect2>
     <title>CPU or memory consumption attacks</title>
@@ -90,7 +91,9 @@
     does not match the expected identity (or is otherwise not
     trusted), &neon; will fail the request by default.  This behaviour
     can be overridden by the use of a callback installed using <xref
-    linkend="ne_ssl_set_verify"/>.</para>
+    linkend="ne_ssl_set_verify"/>, which allows the application to
+    present the certificate details to a user for manual/off-line
+    verification, if possible.</para>
   
     <para>Test cases for the correctness of the implementation of the
     identity verification algorithm are present in the &neon; test
@@ -121,11 +124,11 @@
     allowing the application (and hence, user) to specify that only a
     specific set of authentication protocols is permitted.</para>
 
-    <para>&neon; supports the Digest, and Negotiate authentication
-    schemes, which both allow user authentication without passing
-    credentials over the wire.  The "domain" parameter is supported in
-    Digest, allowing the server to restrict an authentication session
-    to a particular set of URIs.</para>
+    <para>&neon; supports the Digest and Negotiate authentication
+    schemes, which both allow authentication of users without passing
+    credentials in cleartext over the wire.  The "domain" parameter is
+    supported in Digest, allowing the server to restrict an
+    authentication session to a particular set of URIs.</para>
 
   </sect2>
 
-- 
cgit v1.2.1