Salted Challenge Response HTTP Authentication Mechanism
draft-ietf-httpauth-scram-auth-15

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
Cc: draft-ietf-httpauth-scram-auth@ietf.org, httpauth-chairs@tools.ietf.org, rifaat.ietf@gmail.com, httpauth-chairs@ietf.org, Kathleen.Moriarty.ietf@gmail.com, http-auth@ietf.org, "The IESG" <iesg@ietf.org>, alexey.melnikov@isode.com, rfc-editor@rfc-editor.org, draft-ietf-httpauth-scram-auth-all@tools.ietf.org
Subject: Document Action: 'Salted Challenge Response (SCRAM) HTTP Authentication Mechanism' to Experimental RFC (draft-ietf-httpauth-scram-auth-15.txt)

The IESG has approved the following document:
- 'Salted Challenge Response (SCRAM) HTTP Authentication Mechanism'
  (draft-ietf-httpauth-scram-auth-15.txt) as Experimental RFC

This document is the product of the Hypertext Transfer Protocol
Authentication Working Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-httpauth-scram-auth/

Ballot Text

Technical Summary

The authentication mechanism most widely deployed and used by
Internet application protocols is the transmission of clear-text
passwords over a channel protected by Transport Layer Security (TLS).
There are some significant security concerns with that mechanism,
which could be addressed by the use of a challenge response
authentication mechanism protected by TLS.  Unfortunately, the HTTP
Digest challenge response mechanism presently on the standards track
failed widespread deployment, and have had success only in limited
use.

This specification describes a family of HTTP authentication
mechanisms called the Salted Challenge Response Authentication
Mechanism (SCRAM), which addresses security concerns with HTTP Digest
and meets the deployability requirements.  When used in combination
with TLS or an equivalent security layer, a mechanism from this
family could improve the status-quo for HTTP authentication.

Working Group Summary

This document is one of the experimental documents submitted to the
HTTP-Auth working group. 

With version -13 it is the consensus of the HTTP-Auth working group
that this document is fit to be published as an experimental RFC.

Document Quality

The proposed authentication method has been reviewed by a fair number of 
participants.

There is one known implementation of this protocol.

Personnel

The document shepherd is Rifaat Shekh-Yusef and
The Responsible Area Director is Kathleen Moriarty.

RFC Editor Note