- From: The IESG <iesg-secretary@ietf.org>
- Date: Wed, 28 Aug 2024 10:20:00 -0700
- To: "IETF-Announce" <ietf-announce@ietf.org>
- CC: draft-ietf-httpbis-unprompted-auth@ietf.org, francesca.palombini@ericsson.com, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com
The IESG has received a request from the HTTP WG (httpbis) to consider the following document: - 'The Concealed HTTP Authentication Scheme' <draft-ietf-httpbis-unprompted-auth-09.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2024-09-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. At the time of writing, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ No IPR declarations have been submitted directly on this I-D.
Received on Wednesday, 28 August 2024 17:20:06 UTC