- From: <internet-drafts@ietf.org>
- Date: Mon, 13 Mar 2023 13:31:21 -0700
- To: <i-d-announce@ietf.org>
- Cc: ietf-http-wg@w3.org
A New Internet-Draft is available from the on-line Internet-Drafts
directories. This Internet-Draft is a work item of the HTTP (HTTPBIS) WG of
the IETF.
Title : HTTP Unprompted Authentication
Authors : David Schinazi
David M. Oliver
Jonathan Hoyland
Filename : draft-ietf-httpbis-unprompted-auth-01.txt
Pages : 11
Date : 2023-03-13
Abstract:
Existing HTTP authentication mechanisms are probeable in the sense
that it is possible for an unauthenticated client to probe whether an
origin serves resources that require authentication. It is possible
for an origin to hide the fact that it requires authentication by not
generating Unauthorized status codes, however that only works with
non-cryptographic authentication schemes: cryptographic schemes (such
as signatures or message authentication codes) require a fresh nonce
to be signed, and there is no existing way for the origin to share
such a nonce without exposing the fact that it serves resources that
require authentication. This document proposes a new non-probeable
cryptographic authentication scheme.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-httpbis-unprompted-auth-01.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-httpbis-unprompted-auth-01
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
Received on Monday, 13 March 2023 20:31:34 UTC