Protocol Action: 'The Concealed HTTP Authentication Scheme' to Proposed Standard (draft-ietf-httpbis-unprompted-auth-12.txt) from The IESG on 2024-09-23 (ietf-http-wg@w3.org from July to September 2024)

From: The IESG <iesg-secretary@ietf.org>
Date: Mon, 23 Sep 2024 10:53:26 -0700
To: "IETF-Announce" <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-unprompted-auth@ietf.org, francesca.palombini@ericsson.com, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, rfc-editor@rfc-editor.org, tpauly@apple.com
Message-ID: <172711400602.1215906.11647955474091065713@dt-datatracker-65695bf5bc-rgg8z>

The IESG has approved the following document:
- 'The Concealed HTTP Authentication Scheme'
  (draft-ietf-httpbis-unprompted-auth-12.txt) as Proposed Standard

This document is the product of the HTTP Working Group.

The IESG contact persons are Zaheduzzaman Sarker and Francesca Palombini.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/




Technical Summary

   Most HTTP authentication schemes are probeable in the sense that it
   is possible for an unauthenticated client to probe whether an origin
   serves resources that require authentication.  It is possible for an
   origin to hide the fact that it requires authentication by not
   generating Unauthorized status codes, however that only works with
   non-cryptographic authentication schemes: cryptographic signatures
   require a fresh nonce to be signed.  At the time of writing, there
   was no existing way for the origin to share such a nonce without
   exposing the fact that it serves resources that require
   authentication.  This document proposes a new non-probeable
   cryptographic authentication scheme.

Working Group Summary

This document received reviews and input from a wide range of WG participants,
and reached broad agreement.
There was no particularly rough consensus points. The main change that occurred
since adoption was a change in the title and framing of the document to not
be considered a generic "signature" authentication, but to be "concealed"
authentication. 

Document Quality

This authentication scheme works closely with TLS; members of the TLS working
group are generally quite involved in HTTP, so we had review from the experts
in this area as part of WGLC.
Interop between two separate implementations was validated and reported to the
WG mailing list in January 2024. There may be more since then.

Personnel

   The Document Shepherd for this document is Tommy Pauly. The Responsible
   Area Director is Francesca Palombini.

Received on Monday, 23 September 2024 17:53:34 UTC