Fwd: Protocol Action: 'HTTP Digest Access Authentication' to Proposed Standard (draft-ietf-httpauth-digest-19.txt) from Julian Reschke on 2015-04-30 (ietf-http-wg@w3.org from April to June 2015)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 30 Apr 2015 15:02:58 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <55422802.1090400@gmx.de>

FYI: this was the last bit needed to obsolete RFC 2617.

Best regards, Julian

-------- Forwarded Message --------
Subject: Protocol Action: 'HTTP Digest Access Authentication' to 
Proposed Standard (draft-ietf-httpauth-digest-19.txt)
Date: Mon, 27 Apr 2015 13:23:48 -0700
From: The IESG <iesg-secretary@ietf.org>
Reply-To: ietf@ietf.org
To: IETF-Announce <ietf-announce@ietf.org>
CC: httpauth mailing list <http-auth@ietf.org>, httpauth chair 
<httpauth-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>

The IESG has approved the following document:
- 'HTTP Digest Access Authentication'
   (draft-ietf-httpauth-digest-19.txt) as Proposed Standard

This document is the product of the Hypertext Transfer Protocol
Authentication Working Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-httpauth-digest/





Technical Summary

    HTTP provides a simple challenge-response authentication mechanism
    that may be used by a server to challenge a client request and by a
    client to provide authentication information.  This document defines
    the HTTP Digest Authentication scheme that can be used with the HTTP
    authentication mechanism.

   The combination of this document with the definition of the "Basic"
    authentication scheme [BASIC], "The Hypertext Transfer Protocol
    (HTTP) Authentication-Info and Proxy-Authentication-Info Response
    Header Fields" [AUTHINFO], and [RFC7235] obsolete [RFC2617].

Working Group Summary

    There is WG consensus for this draft.  For the most part it describes
    existing practice, with the addition of a few things:
     o New algorithms: SHA2-256 and SHA2-512/256.
     o Internationalized character set support.
     o username hashing for enhanced privacy,

    While the working group was chartered to add the new algorithms and
    internationalization support, the addition of user name hashing is
    not in the charter. The group was specifically polled about whether
    they wanted to add features to a legacy protocol that is anyway
    vulnerable to dictionary attacks. The group consensus was that this
    should be done.

    With version -15 it is the consensus of the HTTP-Auth working group
    that this document is fit to be published as a standards-track RFC.

Document Quality

    There are no implementations that include these updates yet.

Personnel

    The Document Shepherd is Yoav Nir  and the
    Responsible Area Director is Kathleen Moriarty.

IANA Note

    This draft creates a registry using the 5226 "Specification Required"
    registration policy.

     IANA maintains the registry of HTTP Authentication Schemes
     ([RFC7235]) at <http://www.iana.org/assignments/http-authschemes>
     and the entry for the "Digest" Authentication Scheme is to be added 
with
     a pointer to this specification.

Received on Thursday, 30 April 2015 13:03:27 UTC