W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2023

I-D Action: draft-ietf-httpbis-unprompted-auth-00.txt

From: <internet-drafts@ietf.org>
Date: Fri, 24 Feb 2023 15:36:37 -0800
To: <i-d-announce@ietf.org>
Cc: ietf-http-wg@w3.org
Message-ID: <167728179716.37270.6658017962820804373@ietfa.amsl.com>

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This Internet-Draft is a work item of the HTTP WG of the IETF.

        Title           : HTTP Unprompted Authentication
        Authors         : David Schinazi
                          David M. Oliver
                          Jonathan Hoyland
  Filename        : draft-ietf-httpbis-unprompted-auth-00.txt
  Pages           : 9
  Date            : 2023-02-24

   Existing HTTP authentication mechanisms are probeable in the sense
   that it is possible for an unauthenticated client to probe whether an
   origin serves resources that require authentication.  It is possible
   for an origin to hide the fact that it requires authentication by not
   generating Unauthorized status codes, however that only works with
   non-cryptographic authentication schemes: cryptographic schemes (such
   as signatures or message authentication codes) require a fresh nonce
   to be signed, and there is no existing way for the origin to share
   such a nonce without exposing the fact that it serves resources that
   require authentication.  This document proposes a new non-probeable
   cryptographic authentication scheme.

The IETF datatracker status page for this Internet-Draft is:

There is also an HTML version available at:

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
Received on Friday, 24 February 2023 23:37:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 24 February 2023 23:37:19 UTC