draft-ietf-httpbis-p7-auth-08.txt   draft-ietf-httpbis-p7-auth-09.txt 
HTTPbis Working Group R. Fielding, Ed. HTTPbis Working Group R. Fielding, Ed.
Internet-Draft Day Software Internet-Draft Day Software
Obsoletes: 2616 (if approved) J. Gettys Obsoletes: 2616 (if approved) J. Gettys
Updates: 2617 (if approved) One Laptop per Child Updates: 2617 (if approved) One Laptop per Child
Intended status: Standards Track J. Mogul Intended status: Standards Track J. Mogul
Expires: April 29, 2010 HP Expires: September 9, 2010 HP
H. Frystyk H. Frystyk
Microsoft Microsoft
L. Masinter L. Masinter
Adobe Systems Adobe Systems
P. Leach P. Leach
Microsoft Microsoft
T. Berners-Lee T. Berners-Lee
W3C/MIT W3C/MIT
Y. Lafon, Ed. Y. Lafon, Ed.
W3C W3C
J. Reschke, Ed. J. Reschke, Ed.
greenbytes greenbytes
October 26, 2009 March 8, 2010
HTTP/1.1, part 7: Authentication HTTP/1.1, part 7: Authentication
draft-ietf-httpbis-p7-auth-08 draft-ietf-httpbis-p7-auth-09
Abstract
The Hypertext Transfer Protocol (HTTP) is an application-level
protocol for distributed, collaborative, hypermedia information
systems. HTTP has been in use by the World Wide Web global
information initiative since 1990. This document is Part 7 of the
seven-part specification that defines the protocol referred to as
"HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines
HTTP Authentication.
Editorial Note (To be removed by RFC Editor)
Discussion of this draft should take place on the HTTPBIS working
group mailing list (ietf-http-wg@w3.org). The current issues list is
at <http://tools.ietf.org/wg/httpbis/trac/report/11> and related
documents (including fancy diffs) can be found at
<http://tools.ietf.org/wg/httpbis/>.
The changes in this draft are summarized in Appendix C.10.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79.
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
skipping to change at page 2, line 4 skipping to change at page 2, line 14
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 29, 2010. This Internet-Draft will expire on September 9, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
The Hypertext Transfer Protocol (HTTP) is an application-level described in the BSD License.
protocol for distributed, collaborative, hypermedia information
systems. HTTP has been in use by the World Wide Web global
information initiative since 1990. This document is Part 7 of the
seven-part specification that defines the protocol referred to as
"HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines
HTTP Authentication.
Editorial Note (To be removed by RFC Editor)
Discussion of this draft should take place on the HTTPBIS working
group mailing list (ietf-http-wg@w3.org). The current issues list is
at <http://tools.ietf.org/wg/httpbis/trac/report/11> and related
documents (including fancy diffs) can be found at
<http://tools.ietf.org/wg/httpbis/>.
The changes in this draft are summarized in Appendix C.9. This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4
1.2.1. Core Rules . . . . . . . . . . . . . . . . . . . . . . 5 1.2.1. Core Rules . . . . . . . . . . . . . . . . . . . . . . 5
1.2.2. ABNF Rules defined in other Parts of the 1.2.2. ABNF Rules defined in other Parts of the
Specification . . . . . . . . . . . . . . . . . . . . 5 Specification . . . . . . . . . . . . . . . . . . . . 5
2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5 2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5
skipping to change at page 3, line 44 skipping to change at page 3, line 44
publication) . . . . . . . . . . . . . . . . . . . . 11 publication) . . . . . . . . . . . . . . . . . . . . 11
C.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 11 C.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 11
C.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 11 C.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 11
C.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 11 C.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 11
C.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 12 C.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 12
C.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 12 C.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 12
C.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 12 C.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 12
C.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 12 C.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 12
C.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 12 C.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 12
C.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 12 C.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 12
C.10. Since draft-ietf-httpbis-p7-auth-08 . . . . . . . . . . . 13
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document defines HTTP/1.1 access control and authentication. This document defines HTTP/1.1 access control and authentication.
Right now it includes the extracted relevant sections of RFC 2616 Right now it includes the extracted relevant sections of RFC 2616
with only minor changes. The intention is to move the general with only minor changes. The intention is to move the general
framework for HTTP authentication here, as currently specified in framework for HTTP authentication here, as currently specified in
[RFC2617], and allow the individual authentication mechanisms to be [RFC2617], and allow the individual authentication mechanisms to be
defined elsewhere. This introduction will be rewritten when that defined elsewhere. This introduction will be rewritten when that
occurs. occurs.
skipping to change at page 6, line 8 skipping to change at page 6, line 8
[RFC2617]. [RFC2617].
3. Header Field Definitions 3. Header Field Definitions
This section defines the syntax and semantics of HTTP/1.1 header This section defines the syntax and semantics of HTTP/1.1 header
fields related to authentication. fields related to authentication.
3.1. Authorization 3.1. Authorization
The "Authorization" request-header field allows a user agent to The "Authorization" request-header field allows a user agent to
authenticate itself with a server -- usually, but not necessary, authenticate itself with a server -- usually, but not necessarily,
after receiving a 401 (Unauthorized) response. Its value consists of after receiving a 401 (Unauthorized) response. Its value consists of
credentials containing information of the user agent for the realm of credentials containing information of the user agent for the realm of
the resource being requested. the resource being requested.
Authorization = "Authorization" ":" OWS Authorization-v Authorization = "Authorization" ":" OWS Authorization-v
Authorization-v = credentials Authorization-v = credentials
HTTP access authentication is described in "HTTP Authentication: HTTP access authentication is described in "HTTP Authentication:
Basic and Digest Access Authentication" [RFC2617]. If a request is Basic and Digest Access Authentication" [RFC2617]. If a request is
authenticated and a realm specified, the same credentials SHOULD be authenticated and a realm specified, the same credentials SHOULD be
skipping to change at page 9, line 21 skipping to change at page 9, line 21
server to direct clients to discard these cached credentials. This server to direct clients to discard these cached credentials. This
is a significant defect that requires further extensions to HTTP. is a significant defect that requires further extensions to HTTP.
Circumstances under which credential caching can interfere with the Circumstances under which credential caching can interfere with the
application's security model include but are not limited to: application's security model include but are not limited to:
o Clients which have been idle for an extended period following o Clients which have been idle for an extended period following
which the server might wish to cause the client to reprompt the which the server might wish to cause the client to reprompt the
user for credentials. user for credentials.
o Applications which include a session termination indication (such o Applications which include a session termination indication (such
as a `logout' or `commit' button on a page) after which the server as a "logout" or "commit" button on a page) after which the server
side of the application `knows' that there is no further reason side of the application "knows" that there is no further reason
for the client to retain the credentials. for the client to retain the credentials.
This is currently under separate study. There are a number of work- This is currently under separate study. There are a number of work-
arounds to parts of this problem, and we encourage the use of arounds to parts of this problem, and we encourage the use of
password protection in screen savers, idle time-outs, and other password protection in screen savers, idle time-outs, and other
methods which mitigate the security problems inherent in this methods which mitigate the security problems inherent in this
problem. In particular, user agents which cache credentials are problem. In particular, user agents which cache credentials are
encouraged to provide a readily accessible mechanism for discarding encouraged to provide a readily accessible mechanism for discarding
cached credentials under user control. cached credentials under user control.
6. Acknowledgments 6. Acknowledgments
[[anchor2: TBD.]] [[acks: TBD.]]
7. References 7. References
7.1. Normative References 7.1. Normative References
[Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed.,
and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections,
and Message Parsing", draft-ietf-httpbis-p1-messaging-08 and Message Parsing", draft-ietf-httpbis-p1-messaging-09
(work in progress), October 2009. (work in progress), March 2010.
[Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed.,
Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part
6: Caching", draft-ietf-httpbis-p6-cache-08 (work in 6: Caching", draft-ietf-httpbis-p6-cache-09 (work in
progress), October 2009. progress), March 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
skipping to change at page 13, line 5 skipping to change at page 13, line 5
None. None.
C.9. Since draft-ietf-httpbis-p7-auth-07 C.9. Since draft-ietf-httpbis-p7-auth-07
Closed issues: Closed issues:
o <http://tools.ietf.org/wg/httpbis/trac/ticket/198>: "move IANA o <http://tools.ietf.org/wg/httpbis/trac/ticket/198>: "move IANA
registrations for optional status codes" registrations for optional status codes"
C.10. Since draft-ietf-httpbis-p7-auth-08
No significant changes.
Index Index
4 4
401 Unauthorized (status code) 5 401 Unauthorized (status code) 5
407 Proxy Authentication Required (status code) 5 407 Proxy Authentication Required (status code) 5
A A
Authorization header 6 Authorization header 6
G G
 End of changes. 17 change blocks. 
48 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/