Skip to main content

HTTP Authentication

The information below is for an older proposed charter
Document Proposed charter Hypertext Transmission Protocol Authentication WG (httpauth) Snapshot
Title HTTP Authentication
Last updated 2013-02-21
State Start Chartering/Rechartering (Internal Steering Group/IAB Review)
WG State BOF
IESG Responsible AD Kathleen Moriarty
Charter edit AD Sean Turner
Send notices to (None)

Authentication of users to servers over HTTP has always been a weak
point in web services.  The built-in HTTP authentication mechanisms
[suffers from X and Y], and consequently is now infrequently used.
Authentication through a web form is much more commonly used, but [has
problems Q and R].  There is a need for improved mechanisms that can
replace or augment HTTP authentication.  Only HTTP authentication is
in scope for this WG, form-based or "web" authentication is out of

The httpauth WG will be a short-lived working group that will document
a small number of HTTP user authentication schemes that might offer
security benefits, and that could, following experimentation, be
widely adopted as standards-track schemes for HTTP user
authentication. Each of these RFCs will be Informational or
Experimental, and should include a description of when use of its
mechanism is appropriate, via a use-case or other distinguishing
characteristics.  Standards track solutions for HTTP Authentication
schemes are out of scope, as none of the proposals are expected to be
sufficiently widely deployed to warrant that status before the WG

All schemes to be developed in the httpauth WG must be usable with the
existing HTTP authentication framework, or with evolutions of that
framework as developed in the httpbis WG. That is, the evolution of
the HTTP authentication framework is to be done in the httpbis WG and
not in the httpauth WG.

The httpauth WG will work closely with the httpbis WG to ensure that
the outcomes from the httpauth WG do not conflict with work done

The drafts currently under consideration as WG items include:

- draft-williams-http-rest-auth
- draft-oiwa-http-mutualauth and draft-oiwa-http-auth-extension
- draft-farrell-httpbis-hoba
- draft-montenegro-httpbis-multilegged-auth
- draft-melnikov-httpbis-scram-auth

The WG will produce two standards track documents that will obsolete
the basic and digest schemes defined in RFC 2617 taking into account
errata on that specification. 

For the digest scheme, the new specification will incorporate "more
modern" algorithm agility and internationalization support, which
requires input from internationalization experts.
draft-ahrens-httpbis-digest-auth-update documents one possible
approach that the WG could adopt and modify as it sees fit.

For the basic scheme, no technical changes are envisaged other than to
handle internationalization of usernames and passwords.  The goal is
to improve the scheme's documentation and to obsolete RFC 2617, which
has some significant flaws that have emerged through 13 years of
The WG is not required to merge all proposals into one. The goal is
not to produce "perfect" mechanisms, but to review and improve
proposals and to quickly produce stable specifications for the purpose
of obtaining implementation and deployment experience.  The working
group will then close, and any further culling or refinement of the
experimental mechanisms will be done in another context.

It is expected that the market/community will select which if any of
the RFCs developed might be worth progressing on the standards-track
at a later date, in a different WG.

Adoption of additional work items is not expected and will require a

The following are explicitly out of scope:

- changes to TLS
- changes to HTTP, except for those made in the httpbis WG
- definition of authentication mechanisms that do not work with the
HTTP authentication framework
- authentication schemes that distinguish between devices and humans
or for components of web services, and that cannot be sensibly used
for humans, for example device state authentication such as done by
the NEA wg is out of scope
- "web" authentication that is not HTTP authentication