draft-ietf-httpbis-p7-auth-10.txt   draft-ietf-httpbis-p7-auth-11.txt 
HTTPbis Working Group R. Fielding, Ed. HTTPbis Working Group R. Fielding, Ed.
Internet-Draft Day Software Internet-Draft Day Software
Obsoletes: 2616 (if approved) J. Gettys Obsoletes: 2616 (if approved) J. Gettys
Updates: 2617 (if approved) Alcatel-Lucent Updates: 2617 (if approved) Alcatel-Lucent
Intended status: Standards Track J. Mogul Intended status: Standards Track J. Mogul
Expires: January 13, 2011 HP Expires: February 5, 2011 HP
H. Frystyk H. Frystyk
Microsoft Microsoft
L. Masinter L. Masinter
Adobe Systems Adobe Systems
P. Leach P. Leach
Microsoft Microsoft
T. Berners-Lee T. Berners-Lee
W3C/MIT W3C/MIT
Y. Lafon, Ed. Y. Lafon, Ed.
W3C W3C
J. Reschke, Ed. J. Reschke, Ed.
greenbytes greenbytes
July 12, 2010 August 4, 2010
HTTP/1.1, part 7: Authentication HTTP/1.1, part 7: Authentication
draft-ietf-httpbis-p7-auth-10 draft-ietf-httpbis-p7-auth-11
Abstract Abstract
The Hypertext Transfer Protocol (HTTP) is an application-level The Hypertext Transfer Protocol (HTTP) is an application-level
protocol for distributed, collaborative, hypermedia information protocol for distributed, collaborative, hypermedia information
systems. HTTP has been in use by the World Wide Web global systems. HTTP has been in use by the World Wide Web global
information initiative since 1990. This document is Part 7 of the information initiative since 1990. This document is Part 7 of the
seven-part specification that defines the protocol referred to as seven-part specification that defines the protocol referred to as
"HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines
HTTP Authentication. HTTP Authentication.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Discussion of this draft should take place on the HTTPBIS working Discussion of this draft should take place on the HTTPBIS working
group mailing list (ietf-http-wg@w3.org). The current issues list is group mailing list (ietf-http-wg@w3.org). The current issues list is
at <http://tools.ietf.org/wg/httpbis/trac/report/3> and related at <http://tools.ietf.org/wg/httpbis/trac/report/3> and related
documents (including fancy diffs) can be found at documents (including fancy diffs) can be found at
<http://tools.ietf.org/wg/httpbis/>. <http://tools.ietf.org/wg/httpbis/>.
The changes in this draft are summarized in Appendix C.11. The changes in this draft are summarized in Appendix B.12.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 13, 2011. This Internet-Draft will expire on February 5, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 23 skipping to change at page 3, line 23
2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5 2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5
2.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 5 2.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 5
2.2. 407 Proxy Authentication Required . . . . . . . . . . . . 5 2.2. 407 Proxy Authentication Required . . . . . . . . . . . . 5
3. Header Field Definitions . . . . . . . . . . . . . . . . . . . 5 3. Header Field Definitions . . . . . . . . . . . . . . . . . . . 5
3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 6
3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 6 3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 6
3.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 7 3.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 7
3.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 7 3.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
4.1. Status Code Registration . . . . . . . . . . . . . . . . . 8 4.1. Status Code Registration . . . . . . . . . . . . . . . . . 8
4.2. Message Header Registration . . . . . . . . . . . . . . . 8 4.2. Header Field Registration . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5.1. Authentication Credentials and Idle Clients . . . . . . . 9 5.1. Authentication Credentials and Idle Clients . . . . . . . 9
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . . 10
Appendix A. Compatibility with Previous Versions . . . . . . . . 10 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 10
A.1. Changes from RFC 2616 . . . . . . . . . . . . . . . . . . 10 Appendix B. Change Log (to be removed by RFC Editor before
Appendix B. Collected ABNF . . . . . . . . . . . . . . . . . . . 10
Appendix C. Change Log (to be removed by RFC Editor before
publication) . . . . . . . . . . . . . . . . . . . . 11 publication) . . . . . . . . . . . . . . . . . . . . 11
C.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 11 B.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 11
C.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 11 B.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 11
C.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 11 B.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 11
C.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 11 B.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 11
C.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 11 B.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 11
C.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 11 B.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 11
C.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 12 B.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 12
C.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 12 B.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 12
C.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 12 B.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 12
C.10. Since draft-ietf-httpbis-p7-auth-08 . . . . . . . . . . . 12 B.10. Since draft-ietf-httpbis-p7-auth-08 . . . . . . . . . . . 12
C.11. Since draft-ietf-httpbis-p7-auth-09 . . . . . . . . . . . 12 B.11. Since draft-ietf-httpbis-p7-auth-09 . . . . . . . . . . . 12
B.12. Since draft-ietf-httpbis-p7-auth-10 . . . . . . . . . . . 12
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
This document defines HTTP/1.1 access control and authentication. This document defines HTTP/1.1 access control and authentication.
Right now it includes the extracted relevant sections of RFC 2616 Right now it includes the extracted relevant sections of RFC 2616
with only minor changes. The intention is to move the general with only minor changes. The intention is to move the general
framework for HTTP authentication here, as currently specified in framework for HTTP authentication here, as currently specified in
[RFC2617], and allow the individual authentication mechanisms to be [RFC2617], and allow the individual authentication mechanisms to be
defined elsewhere. This introduction will be rewritten when that defined elsewhere. This introduction will be rewritten when that
skipping to change at page 4, line 43 skipping to change at page 4, line 43
"REQUIRED" level and all the "SHOULD" level requirements for its "REQUIRED" level and all the "SHOULD" level requirements for its
protocols is said to be "unconditionally compliant"; one that protocols is said to be "unconditionally compliant"; one that
satisfies all the "MUST" level requirements but not all the "SHOULD" satisfies all the "MUST" level requirements but not all the "SHOULD"
level requirements for its protocols is said to be "conditionally level requirements for its protocols is said to be "conditionally
compliant". compliant".
1.2. Syntax Notation 1.2. Syntax Notation
This specification uses the ABNF syntax defined in Section 1.2 of This specification uses the ABNF syntax defined in Section 1.2 of
[Part1] (which extends the syntax defined in [RFC5234] with a list [Part1] (which extends the syntax defined in [RFC5234] with a list
rule). Appendix B shows the collected ABNF, with the list rule rule). Appendix A shows the collected ABNF, with the list rule
expanded. expanded.
The following core rules are included by reference, as defined in The following core rules are included by reference, as defined in
[RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
(CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote), (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 8-bit HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 8-bit
sequence of data), SP (space), VCHAR (any visible USASCII character), sequence of data), SP (space), VCHAR (any visible USASCII character),
and WSP (whitespace). and WSP (whitespace).
1.2.1. Core Rules 1.2.1. Core Rules
skipping to change at page 5, line 24 skipping to change at page 5, line 24
challenge = <challenge, defined in [RFC2617], Section 1.2> challenge = <challenge, defined in [RFC2617], Section 1.2>
credentials = <credentials, defined in [RFC2617], Section 1.2> credentials = <credentials, defined in [RFC2617], Section 1.2>
2. Status Code Definitions 2. Status Code Definitions
2.1. 401 Unauthorized 2.1. 401 Unauthorized
The request requires user authentication. The response MUST include The request requires user authentication. The response MUST include
a WWW-Authenticate header field (Section 3.4) containing a challenge a WWW-Authenticate header field (Section 3.4) containing a challenge
applicable to the requested resource. The client MAY repeat the applicable to the target resource. The client MAY repeat the request
request with a suitable Authorization header field (Section 3.1). If with a suitable Authorization header field (Section 3.1). If the
the request already included Authorization credentials, then the 401 request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted prior response, and the user agent has already attempted
authentication at least once, then the user SHOULD be presented the authentication at least once, then the user SHOULD be presented the
entity that was given in the response, since that entity might representation that was given in the response, since that
include relevant diagnostic information. HTTP access authentication representation might include relevant diagnostic information. HTTP
is explained in "HTTP Authentication: Basic and Digest Access access authentication is explained in "HTTP Authentication: Basic and
Authentication" [RFC2617]. Digest Access Authentication" [RFC2617].
2.2. 407 Proxy Authentication Required 2.2. 407 Proxy Authentication Required
This code is similar to 401 (Unauthorized), but indicates that the This code is similar to 401 (Unauthorized), but indicates that the
client must first authenticate itself with the proxy. The proxy MUST client must first authenticate itself with the proxy. The proxy MUST
return a Proxy-Authenticate header field (Section 3.2) containing a return a Proxy-Authenticate header field (Section 3.2) containing a
challenge applicable to the proxy for the requested resource. The challenge applicable to the proxy for the target resource. The
client MAY repeat the request with a suitable Proxy-Authorization client MAY repeat the request with a suitable Proxy-Authorization
header field (Section 3.3). HTTP access authentication is explained header field (Section 3.3). HTTP access authentication is explained
in "HTTP Authentication: Basic and Digest Access Authentication" in "HTTP Authentication: Basic and Digest Access Authentication"
[RFC2617]. [RFC2617].
3. Header Field Definitions 3. Header Field Definitions
This section defines the syntax and semantics of HTTP/1.1 header This section defines the syntax and semantics of HTTP/1.1 header
fields related to authentication. fields related to authentication.
skipping to change at page 6, line 52 skipping to change at page 6, line 52
request-headers from the new request to allow the origin server request-headers from the new request to allow the origin server
to authenticate the new request. to authenticate the new request.
3. If the response includes the "public" cache-control directive, it 3. If the response includes the "public" cache-control directive, it
MAY be returned in reply to any subsequent request. MAY be returned in reply to any subsequent request.
3.2. Proxy-Authenticate 3.2. Proxy-Authenticate
The "Proxy-Authenticate" response-header field consists of a The "Proxy-Authenticate" response-header field consists of a
challenge that indicates the authentication scheme and parameters challenge that indicates the authentication scheme and parameters
applicable to the proxy for this Effective Request URI (Section 4.3 applicable to the proxy for this effective request URI (Section 4.3
of [Part1]). It MUST be included as part of a 407 (Proxy of [Part1]). It MUST be included as part of a 407 (Proxy
Authentication Required) response. Authentication Required) response.
Proxy-Authenticate = "Proxy-Authenticate" ":" OWS Proxy-Authenticate = "Proxy-Authenticate" ":" OWS
Proxy-Authenticate-v Proxy-Authenticate-v
Proxy-Authenticate-v = 1#challenge Proxy-Authenticate-v = 1#challenge
The HTTP access authentication process is described in "HTTP The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [RFC2617]. Authentication: Basic and Digest Access Authentication" [RFC2617].
Unlike WWW-Authenticate, the Proxy-Authenticate header field applies Unlike WWW-Authenticate, the Proxy-Authenticate header field applies
skipping to change at page 7, line 47 skipping to change at page 7, line 47
chain, the Proxy-Authorization header field is consumed by the first chain, the Proxy-Authorization header field is consumed by the first
outbound proxy that was expecting to receive credentials. A proxy outbound proxy that was expecting to receive credentials. A proxy
MAY relay the credentials from the client request to the next proxy MAY relay the credentials from the client request to the next proxy
if that is the mechanism by which the proxies cooperatively if that is the mechanism by which the proxies cooperatively
authenticate a given request. authenticate a given request.
3.4. WWW-Authenticate 3.4. WWW-Authenticate
The "WWW-Authenticate" response-header field consists of at least one The "WWW-Authenticate" response-header field consists of at least one
challenge that indicates the authentication scheme(s) and parameters challenge that indicates the authentication scheme(s) and parameters
applicable to the Effective Request URI (Section 4.3 of [Part1]). It applicable to the effective request URI (Section 4.3 of [Part1]). It
MUST be included in 401 (Unauthorized) response messages. MUST be included in 401 (Unauthorized) response messages.
WWW-Authenticate = "WWW-Authenticate" ":" OWS WWW-Authenticate-v WWW-Authenticate = "WWW-Authenticate" ":" OWS WWW-Authenticate-v
WWW-Authenticate-v = 1#challenge WWW-Authenticate-v = 1#challenge
The HTTP access authentication process is described in "HTTP The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [RFC2617]. Authentication: Basic and Digest Access Authentication" [RFC2617].
User agents are advised to take special care in parsing the WWW- User agents are advised to take special care in parsing the WWW-
Authenticate field value as it might contain more than one challenge, Authenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of contents of a challenge itself can contain a comma-separated list of
authentication parameters. authentication parameters.
4. IANA Considerations 4. IANA Considerations
4.1. Status Code Registration 4.1. Status Code Registration
The HTTP Status Code Registry located at The HTTP Status Code Registry located at
<http://www.iana.org/assignments/http-status-codes> should be updated <http://www.iana.org/assignments/http-status-codes> shall be updated
with the registrations below: with the registrations below:
+-------+-------------------------------+-------------+ +-------+-------------------------------+-------------+
| Value | Description | Reference | | Value | Description | Reference |
+-------+-------------------------------+-------------+ +-------+-------------------------------+-------------+
| 401 | Unauthorized | Section 2.1 | | 401 | Unauthorized | Section 2.1 |
| 407 | Proxy Authentication Required | Section 2.2 | | 407 | Proxy Authentication Required | Section 2.2 |
+-------+-------------------------------+-------------+ +-------+-------------------------------+-------------+
4.2. Message Header Registration 4.2. Header Field Registration
The Message Header Registry located at <http://www.iana.org/ The Message Header Field Registry located at <http://www.iana.org/
assignments/message-headers/message-header-index.html> should be assignments/message-headers/message-header-index.html> shall be
updated with the permanent registrations below (see [RFC3864]): updated with the permanent registrations below (see [RFC3864]):
+---------------------+----------+----------+-------------+ +---------------------+----------+----------+-------------+
| Header Field Name | Protocol | Status | Reference | | Header Field Name | Protocol | Status | Reference |
+---------------------+----------+----------+-------------+ +---------------------+----------+----------+-------------+
| Authorization | http | standard | Section 3.1 | | Authorization | http | standard | Section 3.1 |
| Proxy-Authenticate | http | standard | Section 3.2 | | Proxy-Authenticate | http | standard | Section 3.2 |
| Proxy-Authorization | http | standard | Section 3.3 | | Proxy-Authorization | http | standard | Section 3.3 |
| WWW-Authenticate | http | standard | Section 3.4 | | WWW-Authenticate | http | standard | Section 3.4 |
+---------------------+----------+----------+-------------+ +---------------------+----------+----------+-------------+
skipping to change at page 9, line 42 skipping to change at page 9, line 42
[[acks: TBD.]] [[acks: TBD.]]
7. References 7. References
7.1. Normative References 7.1. Normative References
[Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed.,
and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections,
and Message Parsing", draft-ietf-httpbis-p1-messaging-10 and Message Parsing", draft-ietf-httpbis-p1-messaging-11
(work in progress), July 2010. (work in progress), August 2010.
[Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed.,
Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part
6: Caching", draft-ietf-httpbis-p6-cache-10 (work in 6: Caching", draft-ietf-httpbis-p6-cache-11 (work in
progress), July 2010. progress), August 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
skipping to change at page 10, line 23 skipping to change at page 10, line 23
7.2. Informative References 7.2. Informative References
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
September 2004. September 2004.
Appendix A. Compatibility with Previous Versions Appendix A. Collected ABNF
A.1. Changes from RFC 2616
Appendix B. Collected ABNF
Authorization = "Authorization:" OWS Authorization-v Authorization = "Authorization:" OWS Authorization-v
Authorization-v = credentials Authorization-v = credentials
OWS = <OWS, defined in [Part1], Section 1.2.2> OWS = <OWS, defined in [Part1], Section 1.2.2>
Proxy-Authenticate = "Proxy-Authenticate:" OWS Proxy-Authenticate-v Proxy-Authenticate = "Proxy-Authenticate:" OWS Proxy-Authenticate-v
Proxy-Authenticate-v = *( "," OWS ) challenge *( OWS "," [ OWS Proxy-Authenticate-v = *( "," OWS ) challenge *( OWS "," [ OWS
challenge ] ) challenge ] )
Proxy-Authorization = "Proxy-Authorization:" OWS Proxy-Authorization = "Proxy-Authorization:" OWS
skipping to change at page 11, line 4 skipping to change at page 10, line 43
Proxy-Authorization = "Proxy-Authorization:" OWS Proxy-Authorization = "Proxy-Authorization:" OWS
Proxy-Authorization-v Proxy-Authorization-v
Proxy-Authorization-v = credentials Proxy-Authorization-v = credentials
WWW-Authenticate = "WWW-Authenticate:" OWS WWW-Authenticate-v WWW-Authenticate = "WWW-Authenticate:" OWS WWW-Authenticate-v
WWW-Authenticate-v = *( "," OWS ) challenge *( OWS "," [ OWS WWW-Authenticate-v = *( "," OWS ) challenge *( OWS "," [ OWS
challenge ] ) challenge ] )
challenge = <challenge, defined in [RFC2617], Section 1.2> challenge = <challenge, defined in [RFC2617], Section 1.2>
credentials = <credentials, defined in [RFC2617], Section 1.2> credentials = <credentials, defined in [RFC2617], Section 1.2>
ABNF diagnostics: ABNF diagnostics:
; Authorization defined but not used ; Authorization defined but not used
; Proxy-Authenticate defined but not used ; Proxy-Authenticate defined but not used
; Proxy-Authorization defined but not used ; Proxy-Authorization defined but not used
; WWW-Authenticate defined but not used ; WWW-Authenticate defined but not used
Appendix C. Change Log (to be removed by RFC Editor before publication) Appendix B. Change Log (to be removed by RFC Editor before publication)
C.1. Since RFC2616 B.1. Since RFC2616
Extracted relevant partitions from [RFC2616]. Extracted relevant partitions from [RFC2616].
C.2. Since draft-ietf-httpbis-p7-auth-00 B.2. Since draft-ietf-httpbis-p7-auth-00
Closed issues: Closed issues:
o <http://tools.ietf.org/wg/httpbis/trac/ticket/35>: "Normative and o <http://tools.ietf.org/wg/httpbis/trac/ticket/35>: "Normative and
Informative references" Informative references"
C.3. Since draft-ietf-httpbis-p7-auth-01 B.3. Since draft-ietf-httpbis-p7-auth-01
Ongoing work on ABNF conversion Ongoing work on ABNF conversion
(<http://tools.ietf.org/wg/httpbis/trac/ticket/36>): (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
o Explicitly import BNF rules for "challenge" and "credentials" from o Explicitly import BNF rules for "challenge" and "credentials" from
RFC2617. RFC2617.
o Add explicit references to BNF syntax and rules imported from o Add explicit references to BNF syntax and rules imported from
other parts of the specification. other parts of the specification.
C.4. Since draft-ietf-httpbis-p7-auth-02 B.4. Since draft-ietf-httpbis-p7-auth-02
Ongoing work on IANA Message Header Registration Ongoing work on IANA Message Header Registration
(<http://tools.ietf.org/wg/httpbis/trac/ticket/40>): (<http://tools.ietf.org/wg/httpbis/trac/ticket/40>):
o Reference RFC 3984, and update header registrations for headers o Reference RFC 3984, and update header registrations for headers
defined in this document. defined in this document.
C.5. Since draft-ietf-httpbis-p7-auth-03 B.5. Since draft-ietf-httpbis-p7-auth-03
C.6. Since draft-ietf-httpbis-p7-auth-04 B.6. Since draft-ietf-httpbis-p7-auth-04
Ongoing work on ABNF conversion Ongoing work on ABNF conversion
(<http://tools.ietf.org/wg/httpbis/trac/ticket/36>): (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
o Use "/" instead of "|" for alternatives. o Use "/" instead of "|" for alternatives.
o Introduce new ABNF rules for "bad" whitespace ("BWS"), optional o Introduce new ABNF rules for "bad" whitespace ("BWS"), optional
whitespace ("OWS") and required whitespace ("RWS"). whitespace ("OWS") and required whitespace ("RWS").
o Rewrite ABNFs to spell out whitespace rules, factor out header o Rewrite ABNFs to spell out whitespace rules, factor out header
value format definitions. value format definitions.
C.7. Since draft-ietf-httpbis-p7-auth-05 B.7. Since draft-ietf-httpbis-p7-auth-05
Final work on ABNF conversion Final work on ABNF conversion
(<http://tools.ietf.org/wg/httpbis/trac/ticket/36>): (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
o Add appendix containing collected and expanded ABNF, reorganize o Add appendix containing collected and expanded ABNF, reorganize
ABNF introduction. ABNF introduction.
C.8. Since draft-ietf-httpbis-p7-auth-06 B.8. Since draft-ietf-httpbis-p7-auth-06
None. None.
C.9. Since draft-ietf-httpbis-p7-auth-07 B.9. Since draft-ietf-httpbis-p7-auth-07
Closed issues: Closed issues:
o <http://tools.ietf.org/wg/httpbis/trac/ticket/198>: "move IANA o <http://tools.ietf.org/wg/httpbis/trac/ticket/198>: "move IANA
registrations for optional status codes" registrations for optional status codes"
C.10. Since draft-ietf-httpbis-p7-auth-08 B.10. Since draft-ietf-httpbis-p7-auth-08
No significant changes. No significant changes.
C.11. Since draft-ietf-httpbis-p7-auth-09 B.11. Since draft-ietf-httpbis-p7-auth-09
Partly resolved issues: Partly resolved issues:
o <http://tools.ietf.org/wg/httpbis/trac/ticket/196>: "Term for the o <http://tools.ietf.org/wg/httpbis/trac/ticket/196>: "Term for the
requested resource's URI" requested resource's URI"
B.12. Since draft-ietf-httpbis-p7-auth-10
None yet.
Index Index
4 4
401 Unauthorized (status code) 5 401 Unauthorized (status code) 5
407 Proxy Authentication Required (status code) 5 407 Proxy Authentication Required (status code) 5
A A
Authorization header 6 Authorization header 6
G G
 End of changes. 34 change blocks. 
57 lines changed or deleted 57 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/