Technical Summary
HTTP provides a simple challenge-response authentication mechanism
that may be used by a server to challenge a client request and by a
client to provide authentication information. This document defines
the HTTP Digest Authentication scheme that can be used with the HTTP
authentication mechanism.
The combination of this document with the definition of the "Basic"
authentication scheme [BASIC], "The Hypertext Transfer Protocol
(HTTP) Authentication-Info and Proxy-Authentication-Info Response
Header Fields" [AUTHINFO], and [RFC7235] obsolete [RFC2617].
Working Group Summary
There is WG consensus for this draft. For the most part it describes
existing practice, with the addition of a few things:
o New algorithms: SHA2-256 and SHA2-512/256.
o Internationalized character set support.
o username hashing for enhanced privacy,
While the working group was chartered to add the new algorithms and
internationalization support, the addition of user name hashing is
not in the charter. The group was specifically polled about whether
they wanted to add features to a legacy protocol that is anyway
vulnerable to dictionary attacks. The group consensus was that this
should be done.
With version -15 it is the consensus of the HTTP-Auth working group
that this document is fit to be published as a standards-track RFC.
Document Quality
There are no implementations that include these updates yet.
Personnel
The Document Shepherd is Yoav Nir and the
Responsible Area Director is Kathleen Moriarty.
IANA Note
This draft creates a registry using the 5226 "Specification Required"
registration policy.
IANA maintains the registry of HTTP Authentication Schemes
([RFC7235]) at <http://www.iana.org/assignments/http-authschemes>
and the entry for the "Digest" Authentication Scheme is to be added with
a pointer to this specification.