p7-auth-orig.txt   draft-fielding-http-p7-auth-00.txt 
Network Working Group R. Fielding Network Working Group R. Fielding, Ed.
Internet-Draft UC Irvine Internet-Draft Day Software
Obsoletes: 2068, 2616, 2617 J. Gettys Obsoletes: 2068, 2616, 2617 J. Gettys
(if approved) Compaq/W3C (if approved) J. Mogul
Intended status: Standards Track J. Mogul Intended status: Standards Track HP
Expires: March 4, 2008 Compaq Expires: May 14, 2008 H. Frystyk
H. Frystyk Microsoft
W3C/MIT
L. Masinter L. Masinter
Xerox Adobe Systems
P. Leach P. Leach
Microsoft Microsoft
T. Berners-Lee T. Berners-Lee
W3C/MIT W3C/MIT
September 2007 November 11, 2007
HTTP/1.1, part 7: Authentication HTTP/1.1, part 7: Authentication
draft-fielding-http-p7-auth-00 draft-fielding-http-p7-auth-00
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 1, line 45 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 4, 2008. This Internet-Draft will expire on May 14, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
The Hypertext Transfer Protocol (HTTP) is an application-level The Hypertext Transfer Protocol (HTTP) is an application-level
protocol for distributed, collaborative, hypermedia information protocol for distributed, collaborative, hypermedia information
systems. HTTP has been in use by the World Wide Web global systems. HTTP has been in use by the World Wide Web global
skipping to change at page 2, line 23 skipping to change at page 2, line 23
7 defines HTTP Authentication. 7 defines HTTP Authentication.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Header Field Definitions . . . . . . . . . . . . . . . . . . . 3 2. Header Field Definitions . . . . . . . . . . . . . . . . . . . 3
2.1. Authorization . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Authorization . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 4 2.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 4
2.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . . 4 2.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . . 4
2.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 5 2.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 5
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Authentication Credentials and Idle Clients . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Authentication Credentials and Idle Clients . . . . . . . . 5
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . . . 9
1. Introduction 1. Introduction
This document will define aspects of HTTP related to access control This document will define aspects of HTTP related to access control
and authentication. Right now it only includes the extracted and authentication. Right now it only includes the extracted
relevant sections of RFC 2616 [RFC2616] with only minor edits. relevant sections of RFC 2616 [RFC2616] with only minor edits.
skipping to change at page 5, line 31 skipping to change at page 5, line 31
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
The HTTP access authentication process is described in "HTTP The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [RFC2617]. Authentication: Basic and Digest Access Authentication" [RFC2617].
User agents are advised to take special care in parsing the WWW- User agents are advised to take special care in parsing the WWW-
Authenticate field value as it might contain more than one challenge, Authenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of contents of a challenge itself can contain a comma-separated list of
authentication parameters. authentication parameters.
3. Security Considerations 3. IANA Considerations
TBD.
4. Security Considerations
This section is meant to inform application developers, information This section is meant to inform application developers, information
providers, and users of the security limitations in HTTP/1.1 as providers, and users of the security limitations in HTTP/1.1 as
described by this document. The discussion does not include described by this document. The discussion does not include
definitive solutions to the problems revealed, though it does make definitive solutions to the problems revealed, though it does make
some suggestions for reducing security risks. some suggestions for reducing security risks.
3.1. Authentication Credentials and Idle Clients 4.1. Authentication Credentials and Idle Clients
Existing HTTP clients and user agents typically retain authentication Existing HTTP clients and user agents typically retain authentication
information indefinitely. HTTP/1.1. does not provide a method for a information indefinitely. HTTP/1.1. does not provide a method for a
server to direct clients to discard these cached credentials. This server to direct clients to discard these cached credentials. This
is a significant defect that requires further extensions to HTTP. is a significant defect that requires further extensions to HTTP.
Circumstances under which credential caching can interfere with the Circumstances under which credential caching can interfere with the
application's security model include but are not limited to: application's security model include but are not limited to:
o Clients which have been idle for an extended period following o Clients which have been idle for an extended period following
which the server might wish to cause the client to reprompt the which the server might wish to cause the client to reprompt the
skipping to change at page 6, line 18 skipping to change at page 6, line 23
for the client to retain the credentials. for the client to retain the credentials.
This is currently under separate study. There are a number of work- This is currently under separate study. There are a number of work-
arounds to parts of this problem, and we encourage the use of arounds to parts of this problem, and we encourage the use of
password protection in screen savers, idle time-outs, and other password protection in screen savers, idle time-outs, and other
methods which mitigate the security problems inherent in this methods which mitigate the security problems inherent in this
problem. In particular, user agents which cache credentials are problem. In particular, user agents which cache credentials are
encouraged to provide a readily accessible mechanism for discarding encouraged to provide a readily accessible mechanism for discarding
cached credentials under user control. cached credentials under user control.
4. Acknowledgments 5. Acknowledgments
Based on an XML translation of RFC 2616 by Julian Reschke. Based on an XML translation of RFC 2616 by Julian Reschke.
5. References 6. References
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
skipping to change at page 7, line 15 skipping to change at page 7, line 20
P P
Proxy-Authenticate header 4 Proxy-Authenticate header 4
Proxy-Authorization header 4 Proxy-Authorization header 4
W W
WWW-Authenticate header 5 WWW-Authenticate header 5
Authors' Addresses Authors' Addresses
Roy T. Fielding Roy T. Fielding (editor)
Department of Information and Computer Science Day Software
University of California, Irvine 23 Corporate Plaza DR, Suite 280
Irvine, CA 92697-3425 Newport Beach, CA 92660
USA
Fax: +1(949)824-1715 Phone: +1-949-706-5300
Email: fielding@ics.uci.edu Fax: +1-949-706-5305
Email: fielding@gbiv.com
URI: http://roy.gbiv.com/
James Gettys James Gettys
World Wide Web Consortium Hewlett-Packard Company
MIT Laboratory for Computer Science, NE43-356 HP Labs, Cambridge Research Laboratory
545 Technology Square One Cambridge Center
Cambridge, MA 02139 Cambridge, MA 02138
USA
Fax: +1(617)258-8682 Email: Jim.Gettys@hp.com
Email: jg@w3.org
Jeffrey C. Mogul Jeffrey C. Mogul
Compaq Computer Corporation Hewlett-Packard Company
Western Research Laboratory HP Labs, Large Scale Systems Group
250 University Avenue 1501 Page Mill Road, MS 1177
Palo Alto, CA 94305 Palo Alto, CA 94304
USA
Email: mogul@wrl.dec.com Email: JeffMogul@acm.org
Henrik Frystyk Nielsen Henrik Frystyk Nielsen
World Wide Web Consortium Microsoft Corporation
MIT Laboratory for Computer Science, NE43-356 1 Microsoft Way
545 Technology Square Redmond, WA 98052
Cambridge, MA 02139 USA
Fax: +1(617)258-8682 Email: henrikn@microsoft.com
Email: frystyk@w3.org
Larry Masinter Larry Masinter
Xerox Corporation Adobe Systems, Incorporated
MIT Laboratory for Computer Science, NE43-356 345 Park Ave
3333 Coyote Hill Road San Jose, CA 95110
Palo Alto, CA 94034 USA
Email: masinter@parc.xerox.com Email: LMM@acm.org
URI: http://larry.masinter.net/
Paul J. Leach Paul J. Leach
Microsoft Corporation Microsoft Corporation
1 Microsoft Way 1 Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
Email: paulle@microsoft.com Email: paulle@microsoft.com
Tim Berners-Lee Tim Berners-Lee
World Wide Web Consortium World Wide Web Consortium
MIT Laboratory for Computer Science, NE43-356 MIT Laboratory for Computer Science
545 Technology Square 545 Technology Square
Cambridge, MA 02139 Cambridge, MA 02139
USA
Fax: +1(617)258-8682 Fax: +1 (617) 258 8682
Email: timbl@w3.org Email: timbl@w3.org
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
 End of changes. 23 change blocks. 
48 lines changed or deleted 57 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/