The Concealed HTTP Authentication Scheme
draft-ietf-httpbis-unprompted-auth-12
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2025-01-14
|
12 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2024-10-10
|
12 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2024-10-09
|
12 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2024-10-09
|
12 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2024-10-01
|
12 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2024-09-23
|
12 | (System) | RFC Editor state changed to EDIT |
2024-09-23
|
12 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2024-09-23
|
12 | (System) | Announcement was received by RFC Editor |
2024-09-23
|
12 | (System) | IANA Action state changed to In Progress |
2024-09-23
|
12 | (System) | Removed all action holders (IESG state changed) |
2024-09-23
|
12 | Jenny Bui | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2024-09-23
|
12 | Jenny Bui | IESG has approved the document |
2024-09-23
|
12 | Jenny Bui | Closed "Approve" ballot |
2024-09-23
|
12 | Jenny Bui | Ballot approval text was generated |
2024-09-23
|
12 | Francesca Palombini | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup |
2024-09-19
|
12 | (System) | Changed action holders to Francesca Palombini (IESG state changed) |
2024-09-19
|
12 | (System) | Sub state has been changed to AD Followup from Revised I-D Needed |
2024-09-19
|
12 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-12.txt |
2024-09-19
|
12 | David Schinazi | New version approved |
2024-09-19
|
12 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2024-09-19
|
12 | David Schinazi | Uploaded new revision |
2024-09-19
|
11 | (System) | Changed action holders to David Schinazi, Jonathan Hoyland, David Oliver (IESG state changed) |
2024-09-19
|
11 | Jenny Bui | IESG state changed to Approved-announcement to be sent::Revised I-D Needed from IESG Evaluation |
2024-09-19
|
11 | John Scudder | [Ballot Position Update] New position, No Objection, has been recorded for John Scudder |
2024-09-19
|
11 | Jim Guichard | [Ballot Position Update] New position, No Objection, has been recorded for Jim Guichard |
2024-09-18
|
11 | Murray Kucherawy | [Ballot comment] Thanks to Robert Sparks for his ARTART review. |
2024-09-18
|
11 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2024-09-18
|
11 | Zaheduzzaman Sarker | [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker |
2024-09-17
|
11 | Paul Wouters | [Ballot comment] Like Deb, I would like to understand the need for the static prefix data in section 3.3 as well. For Section 3.1, is … [Ballot comment] Like Deb, I would like to understand the need for the static prefix data in section 3.3 as well. For Section 3.1, is there a reason the SubjectPublicKeyInfo (SPKI) structure cannot be used? That way, the Public Key Encoding does not have to be redefined for any new/other algorithms? (kind of on the fence whether this should be a DISCUSS) |
2024-09-17
|
11 | Paul Wouters | [Ballot Position Update] New position, No Objection, has been recorded for Paul Wouters |
2024-09-17
|
11 | Mahesh Jethanandani | [Ballot comment] "Abstract", paragraph 2 > About This Document I note the fact that the Shepherd writeup was written more than 2 years ago. Does … [Ballot comment] "Abstract", paragraph 2 > About This Document I note the fact that the Shepherd writeup was written more than 2 years ago. Does it need a refresh? For example, two implementations were noted then. Has that figure changed? It also notes that the document has had no specific directorate reviews, although I do note that a SECDIR, ARTART, OPSDIR, and GENART review have been done. What about HTTPDIR? Section 3, paragraph 5 > Note that TLS 1.3 keying material exporters are defined in > Section 7.5 of [TLS], while TLS 1.2 keying material exporters are > defined in [KEY-EXPORT]. I agree with Gunter's review COMMENT that the use of references such as [TLS] or [KEY-EXPORT] rather than using the RFC number is unusual, even as the authors contend that is the style in HTTPBIS WG. Most of the boiler text in the document continues to use RFC numbers, and I note at least one use of RFC number [RFC7627] in the draft. Section 6.4, paragraph 1 > The authentication checks described above can take time to compute, > and an attacker could detect use of this mechanism if that time is > observable by comparing the timing of a request for a known non- > existent resource to the timing of a request for a potentially > authenticated resource. Servers can mitigate this observability by > slightly delaying responses to some non-existent resources such that > the timing of the authentication verification is not observable. > This delay needs to be carefully considered to avoid having the delay > itself leak the fact that this origin uses this mechanism at all. Maybe I do not understand this paragraph. The document says that for non-existent resource, the response time would be different because it does not perform an authentication check?? What if it did? In other words, regardless of whether the resource existed or did not exist, an authentication check is always performed. Would a client then be able to detect the difference? Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance: * Term "master"; alternatives might be "active", "central", "initiator", "leader", "main", "orchestrator", "parent", "primary", "server" ------------------------------------------------------------------------------- NIT ------------------------------------------------------------------------------- All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Uncited references: [RFC8792]. Probably because the text in the document says RFC 8792 (with a space). Document references draft-schinazi-masque-00, but -04 is the latest available revision. Section 2, paragraph 2 > le TLS 1.2 keying material exporters are defined in [KEY-EXPORT]. I agree wit > ^^^^^^^^^^^ You have used the passive voice repeatedly in nearby sentences. To make your writing clearer and easier to read, consider using active voice. Section 3.1, paragraph 11 > ey exporter context (see above) and the a Parameter (see Section 4.2) carry t > ^^^^^ Two determiners in a row. Choose either "the" or "a". Section 3.3, paragraph 5 > MUST NOT include any characters other then ASCII letters, digits, dash and > ^^^^^^^^^^ Did you mean "other than"? Section 4, paragraph 1 > known keys, see Section 6.3. 4.2. The a Parameter The REQUIRED "a" (public > ^^^^^ Two determiners in a row. Choose either "The" or "a". Section 6.3, paragraph 4 > delay needs to be carefully considered to avoid having the delay itself leak > ^^^^^^^^^^^^^^^^^^^ The verb "considered" is used with the gerund form. |
2024-09-17
|
11 | Mahesh Jethanandani | [Ballot Position Update] New position, No Objection, has been recorded for Mahesh Jethanandani |
2024-09-17
|
11 | Deb Cooley | [Ballot comment] Thanks to Rich Salz who did the secdir review. I have two small comments: Section 3.1, para 1: the character 'a' as a … [Ballot comment] Thanks to Rich Salz who did the secdir review. I have two small comments: Section 3.1, para 1: the character 'a' as a type of parameter looks like a typo. The font change in the html version of the draft still isn't much different than the normal draft font. Maybe quotation marks would help (like in Section 4)? Note: there are other parameters used in section 3.2, these aren't normally regular words in English, so they aren't as confusing. But whatever you do for 'a' should be done for the others. Also note: I have not looked at this in the text version of the draft. Section 3.3: 'prefixed with static data before being signed to mitigate issues caused by key reuse'. I'd like to understand what is meant by this (not necessarily a draft change). Normally key reuse issues are mitigated by non-static data, a nonce, or something that is guaranteed to be different. I don't understand why adding a static prefix mitigates a key reuse issue. Nor do I understand what the key reuse issue would be - reuse of the key exporter output? or something else? If this is tied to the para/sentence in Security Considerations ( thou shalt not use in other protocols - I'm paraphrasing), then I think a short phrase in Section 3.3 could help the reader. |
2024-09-17
|
11 | Deb Cooley | [Ballot Position Update] New position, No Objection, has been recorded for Deb Cooley |
2024-09-17
|
11 | Éric Vyncke | [Ballot comment] # Éric Vyncke, INT AD, comments for draft-ietf-httpbis-unprompted-auth-11 Thank you for the work put into this document. Please find below some non-blocking COMMENT … [Ballot comment] # Éric Vyncke, INT AD, comments for draft-ietf-httpbis-unprompted-auth-11 Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education). Special thanks to Tommy Pauly for the shepherd's detailed write-up including the WG consensus and the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric # COMMENTS (non-blocking) I learned a new English word "probeable", which I misread as "probable" several times :-) "Unprompted" was clearer IMHO but this is cosmetic. ## Section 1 A time diagram of all exchanges will be welcome by the readers, e.g., setting up the TLS session, client sending its key context, (exchange between frontend and backend), then (if I understand correctly) the actual authentication taking place with a nonce, then actual data transfer. ## Section 3.1 Suggest to add a reference to the syntax used in Figure 1. s/s Parameter/"s" Parameter/ ? and similar for "k", ... Noting that this notation is used in section 4. ## Why not mTLS ? Should there be a comparaison with mutually authenticated TLS ? I understand that mTLS and this I-D work at different layers but mTLS could also be used for similar purposes. |
2024-09-17
|
11 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2024-09-16
|
11 | (System) | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2024-09-16
|
11 | Orie Steele | [Ballot Position Update] New position, Yes, has been recorded for Orie Steele |
2024-09-16
|
11 | Roman Danyliw | [Ballot comment] Thank you to Reese Enghardt for the GENART review. ** Section 9.3. Per the columns in https://www.iana.org/assignments/http-fields/http-fields.xhtml and this registration: Field Name: … [Ballot comment] Thank you to Reese Enghardt for the GENART review. ** Section 9.3. Per the columns in https://www.iana.org/assignments/http-fields/http-fields.xhtml and this registration: Field Name: Concealed-Auth-Export Status: permanent Structured Type: Item Template: None What’s the “Template” field? There isn’t a column with that name in the “Hypertext Transfer Protocol (HTTP) Field Name Registry” |
2024-09-16
|
11 | Roman Danyliw | [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw |
2024-09-16
|
11 | Gunter Van de Velde | [Ballot comment] # Gunter Van de Velde, RTG AD, comments about draft-ietf-httpbis-unprompted-auth-11 The document is well written and explains well the intended behavior to people … [Ballot comment] # Gunter Van de Velde, RTG AD, comments about draft-ietf-httpbis-unprompted-auth-11 The document is well written and explains well the intended behavior to people without significant HTTP knowledge (like myself). I found it missed (simplification) opportunity to see that the reference tags towards references are mnemonic names instead of indicating the RFC numbers itself. i find that it obscures the indication when a reference is an IETF resource or is a non-IETF resource. For example [EdDSA] is used while it would of been easier to use [RFC8032]. Currently, a reader has an extra step and needs to check the correlation of reference tag with the actual reference itself. Not sure if this is the most optimal structure to use in an IETF document. |
2024-09-16
|
11 | Gunter Van de Velde | [Ballot Position Update] New position, No Objection, has been recorded for Gunter Van de Velde |
2024-09-15
|
11 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2024-09-11
|
11 | Cindy Morgan | Placed on agenda for telechat - 2024-09-19 |
2024-09-11
|
11 | Francesca Palombini | Ballot has been issued |
2024-09-11
|
11 | Francesca Palombini | [Ballot Position Update] New position, Yes, has been recorded for Francesca Palombini |
2024-09-11
|
11 | Francesca Palombini | Created "Approve" ballot |
2024-09-11
|
11 | Francesca Palombini | IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead |
2024-09-11
|
11 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2024-09-11
|
11 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-11.txt |
2024-09-11
|
11 | David Schinazi | New version accepted (logged-in submitter: David Schinazi) |
2024-09-11
|
11 | David Schinazi | Uploaded new revision |
2024-09-11
|
10 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2024-09-10
|
10 | Ran Chen | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Ran Chen. Sent review to list. |
2024-09-09
|
10 | Reese Enghardt | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Reese Enghardt. Sent review to list. |
2024-09-09
|
10 | Rich Salz | Request for Last Call review by SECDIR Completed: Ready. Reviewer: Rich Salz. Review has been revised by Rich Salz. |
2024-09-09
|
10 | Robert Sparks | Request for Last Call review by ARTART Completed: Ready. Reviewer: Robert Sparks. Sent review to list. |
2024-09-09
|
10 | Rich Salz | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Rich Salz. Sent review to list. |
2024-09-07
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Rich Salz |
2024-09-04
|
10 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2024-09-04
|
10 | David Dong | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-httpbis-unprompted-auth-10. If any part of this review is inaccurate, please let us know. We … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-httpbis-unprompted-auth-10. If any part of this review is inaccurate, please let us know. We understand that, upon approval of this document, there are three actions which we must complete. First, in the HTTP Authentication Schemes registry located at: https://www.iana.org/assignments/http-authschemes/ a single new registration will be made as follows: Authentication Scheme Name: Concealed Reference: [ RFC-to-be ] Notes: Second, in the TLS Exporter Labels registry on the Transport Layer Security (TLS) Parameters registry page located at: https://www.iana.org/assignments/tls-parameters/ a single new registration is to be made as follows: Value: EXPORTER-HTTP-Concealed-Authentication DTLS-OK?: N Recommended: Y Reference: [ RFC-to-be ] Note: As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request. Third, in the Hypertext Transfer Protocol (HTTP) Field Name registry located at: https://www.iana.org/assignments/http-fields/ Field Name: Concealed-Auth-Export Status: permanent Structured Type: Template: Reference: [ RFC-to-be ] Comment: As this also requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request. We understand that these three actions are the only ones required to be completed upon approval of this document. NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. For definitions of IANA review states, please see: https://datatracker.ietf.org/help/state/draft/iana-review Thank you, David Dong IANA Services Sr. Specialist |
2024-09-04
|
10 | David Dong | The Hypertext Transfer Protocol (HTTP) Field Name Registry and TLS Exporter Labels registrations have been approved. |
2024-09-04
|
10 | David Dong | IANA Experts State changed to Expert Reviews OK from Reviews assigned |
2024-08-30
|
10 | Barry Leiba | Request for Last Call review by ARTART is assigned to Robert Sparks |
2024-08-29
|
10 | Carlos Pignataro | Request for Last Call review by OPSDIR is assigned to Ran Chen |
2024-08-29
|
10 | David Dong | The Hypertext Transfer Protocol (HTTP) Field Name Registry registration has been approved. |
2024-08-29
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Reese Enghardt |
2024-08-28
|
10 | David Dong | IANA Experts State changed to Reviews assigned |
2024-08-28
|
10 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-10.txt |
2024-08-28
|
10 | David Schinazi | New version approved |
2024-08-28
|
10 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2024-08-28
|
10 | David Schinazi | Uploaded new revision |
2024-08-28
|
09 | Liz Flynn | IANA Review state changed to IANA - Review Needed |
2024-08-28
|
09 | Liz Flynn | The following Last Call announcement was sent out (ends 2024-09-11): From: The IESG To: IETF-Announce CC: draft-ietf-httpbis-unprompted-auth@ietf.org, francesca.palombini@ericsson.com, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com … The following Last Call announcement was sent out (ends 2024-09-11): From: The IESG To: IETF-Announce CC: draft-ietf-httpbis-unprompted-auth@ietf.org, francesca.palombini@ericsson.com, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com Reply-To: last-call@ietf.org Sender: Subject: Last Call: (The Concealed HTTP Authentication Scheme) to Proposed Standard The IESG has received a request from the HTTP WG (httpbis) to consider the following document: - 'The Concealed HTTP Authentication Scheme' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2024-09-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. At the time of writing, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ No IPR declarations have been submitted directly on this I-D. |
2024-08-28
|
09 | Liz Flynn | IESG state changed to In Last Call from Last Call Requested |
2024-08-28
|
09 | Liz Flynn | Last call announcement was generated |
2024-08-28
|
09 | Francesca Palombini | Last call was requested |
2024-08-28
|
09 | Francesca Palombini | Ballot approval text was generated |
2024-08-28
|
09 | Francesca Palombini | AD review posted: https://mailarchive.ietf.org/arch/msg/httpbisa/cjP90WnDdjSfD2fTHgrIORfWrLQ/ |
2024-08-28
|
09 | Francesca Palombini | IESG state changed to Last Call Requested from AD Evaluation |
2024-08-28
|
09 | Francesca Palombini | Last call announcement was generated |
2024-08-28
|
09 | Francesca Palombini | IESG state changed to AD Evaluation from Publication Requested |
2024-08-28
|
09 | Francesca Palombini | Ballot writeup was changed |
2024-08-27
|
09 | Tommy Pauly | # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* Thank you for your service as a document shepherd. Among the … # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* Thank you for your service as a document shepherd. Among the responsibilities is answering the questions in this write-up to give helpful context to Last Call and Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in completing it is appreciated. The full role of the shepherd is further described in [RFC 4858][2]. You will need the cooperation of the authors and editors to complete these checks. Note that some numbered items contain multiple related questions; please be sure to answer all of them. ## Document History 1. Does the working group (WG) consensus represent the strong concurrence of a few individuals, with others being silent, or did it reach broad agreement? This document received reviews and input from a wide range of WG participants, and reached broad agreement. 2. Was there controversy about particular points, or were there decisions where the consensus was particularly rough? There was no particularly rough consensus points. The main change that occurred since adoption was a change in the title and framing of the document to not be considered a generic "signature" authentication, but to be "concealed" authentication. 3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No appeal threats or extreme discontent. 4. For protocol documents, are there existing implementations of the contents of the document? Have a significant number of potential implementers indicated plans to implement? Are any existing implementations reported somewhere, either in the document itself (as [RFC 7942][3] recommends) or elsewhere (where)? Interop between two separate implementations was validated and reported to the WG mailing list in January 2024. There may be more since then. ## Additional Reviews 5. Do the contents of this document closely interact with technologies in other IETF working groups or external organizations, and would it therefore benefit from their review? Have those reviews occurred? If yes, describe which reviews took place. This authentication scheme works closely with TLS; members of the TLS working group are generally quite involved in HTTP, so we had review from the experts in this area as part of WGLC. 6. Describe how the document meets any required formal expert review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document does not use new MIB, YANG, media types, or URI types. 7. If the document contains a YANG module, has the final version of the module been checked with any of the [recommended validation tools][4] for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in [RFC 8342][5]? No YANG module. 8. Describe reviews and automated checks performed to validate sections of the final version of the document written in a formal language, such as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc. No formal language used. ## Document Shepherd Checks 9. Based on the shepherd's review of the document, is it their opinion that this document is needed, clearly written, complete, correctly designed, and ready to be handed off to the responsible Area Director? Yes, this document is well-written and ready for progressing in my opinion. 10. Several IETF Areas have assembled [lists of common issues that their reviewers encounter][6]. For which areas have such issues been identified and addressed? For which does this still need to happen in subsequent reviews? We have not run specific directorate reviews for this document; a security review during last call may be good, but that would be the main area. 11. What type of RFC publication is being requested on the IETF stream ([Best Current Practice][12], [Proposed Standard, Internet Standard][13], [Informational, Experimental or Historic][14])? Why is this the proper type of RFC? Do all Datatracker state attributes correctly reflect this intent? Proposed Standard, which is appropriate for a new HTTP authentication scheme. 12. Have reasonable efforts been made to remind all authors of the intellectual property rights (IPR) disclosure obligations described in [BCP 79][7]? To the best of your knowledge, have all required disclosures been filed? If not, explain why. If yes, summarize any relevant discussion, including links to publicly-available messages when applicable. Yes, all authors have confirmed that they are not aware for any relevant IPR, via email. 13. Has each author, editor, and contributor shown their willingness to be listed as such? If the total number of authors and editors on the front page is greater than five, please provide a justification. Yes, all authors confirmed they are willing to be listed. 14. Document any remaining I-D nits in this document. Simply running the [idnits tool][8] is not enough; please review the ["Content Guidelines" on authors.ietf.org][15]. (Also note that the current idnits tool generates some incorrect warnings; a rewrite is underway.) No nits found. 15. Should any informative references be normative or vice-versa? See the [IESG Statement on Normative and Informative References][16]. No, not in my opinion. 16. List any normative references that are not freely available to anyone. Did the community have sufficient access to review any such normative references? No such references 17. Are there any normative downward references (see [RFC 3967][9] and [BCP 97][10]) that are not already listed in the [DOWNREF registry][17]? If so, list them. No, all are listed in the downref registry 18. Are there normative references to documents that are not ready to be submitted to the IESG for publication or are otherwise in an unclear state? If so, what is the plan for their completion? No such references. 19. Will publication of this document change the status of any existing RFCs? If so, does the Datatracker metadata correctly reflect this and are those RFCs listed on the title page, in the abstract, and discussed in the introduction? If not, explain why and point to the part of the document where the relationship of this document to these other RFCs is discussed. No updates to other RFCs 20. Describe the document shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all aspects of the document requiring IANA assignments are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that each newly created IANA registry specifies its initial contents, allocations procedures, and a reasonable name (see [RFC 8126][11]). The IANA Considerations register three new values in three existing registries. These are clear and appropriate registrations. 21. List any new IANA registries that require Designated Expert Review for future allocations. Are the instructions to the Designated Expert clear? Please include suggestions of designated experts, if appropriate. No new registries. [1]: https://www.ietf.org/about/groups/iesg/ [2]: https://www.rfc-editor.org/rfc/rfc4858.html [3]: https://www.rfc-editor.org/rfc/rfc7942.html [4]: https://wiki.ietf.org/group/ops/yang-review-tools [5]: https://www.rfc-editor.org/rfc/rfc8342.html [6]: https://wiki.ietf.org/group/iesg/ExpertTopics [7]: https://www.rfc-editor.org/info/bcp79 [8]: https://www.ietf.org/tools/idnits/ [9]: https://www.rfc-editor.org/rfc/rfc3967.html [10]: https://www.rfc-editor.org/info/bcp97 [11]: https://www.rfc-editor.org/rfc/rfc8126.html [12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5 [13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1 [14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2 [15]: https://authors.ietf.org/en/content-guidelines-overview [16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ [17]: https://datatracker.ietf.org/doc/downref/ |
2024-08-27
|
09 | Tommy Pauly | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2024-08-27
|
09 | Tommy Pauly | IESG state changed to Publication Requested from I-D Exists |
2024-08-27
|
09 | (System) | Changed action holders to Francesca Palombini (IESG state changed) |
2024-08-27
|
09 | Tommy Pauly | Responsible AD changed to Francesca Palombini |
2024-08-27
|
09 | Tommy Pauly | Document is now in IESG state Publication Requested |
2024-08-27
|
09 | Tommy Pauly | Tag Revised I-D Needed - Issue raised by WGLC cleared. |
2024-08-27
|
09 | Tommy Pauly | # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* Thank you for your service as a document shepherd. Among the … # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* Thank you for your service as a document shepherd. Among the responsibilities is answering the questions in this write-up to give helpful context to Last Call and Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in completing it is appreciated. The full role of the shepherd is further described in [RFC 4858][2]. You will need the cooperation of the authors and editors to complete these checks. Note that some numbered items contain multiple related questions; please be sure to answer all of them. ## Document History 1. Does the working group (WG) consensus represent the strong concurrence of a few individuals, with others being silent, or did it reach broad agreement? This document received reviews and input from a wide range of WG participants, and reached broad agreement. 2. Was there controversy about particular points, or were there decisions where the consensus was particularly rough? There was no particularly rough consensus points. The main change that occurred since adoption was a change in the title and framing of the document to not be considered a generic "signature" authentication, but to be "concealed" authentication. 3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No appeal threats or extreme discontent. 4. For protocol documents, are there existing implementations of the contents of the document? Have a significant number of potential implementers indicated plans to implement? Are any existing implementations reported somewhere, either in the document itself (as [RFC 7942][3] recommends) or elsewhere (where)? Interop between two separate implementations was validated and reported to the WG mailing list in January 2024. There may be more since then. ## Additional Reviews 5. Do the contents of this document closely interact with technologies in other IETF working groups or external organizations, and would it therefore benefit from their review? Have those reviews occurred? If yes, describe which reviews took place. This authentication scheme works closely with TLS; members of the TLS working group are generally quite involved in HTTP, so we had review from the experts in this area as part of WGLC. 6. Describe how the document meets any required formal expert review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document does not use new MIB, YANG, media types, or URI types. 7. If the document contains a YANG module, has the final version of the module been checked with any of the [recommended validation tools][4] for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in [RFC 8342][5]? No YANG module. 8. Describe reviews and automated checks performed to validate sections of the final version of the document written in a formal language, such as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc. No formal language used. ## Document Shepherd Checks 9. Based on the shepherd's review of the document, is it their opinion that this document is needed, clearly written, complete, correctly designed, and ready to be handed off to the responsible Area Director? Yes, this document is well-written and ready for progressing in my opinion. 10. Several IETF Areas have assembled [lists of common issues that their reviewers encounter][6]. For which areas have such issues been identified and addressed? For which does this still need to happen in subsequent reviews? We have not run specific directorate reviews for this document; a security review during last call may be good, but that would be the main area. 11. What type of RFC publication is being requested on the IETF stream ([Best Current Practice][12], [Proposed Standard, Internet Standard][13], [Informational, Experimental or Historic][14])? Why is this the proper type of RFC? Do all Datatracker state attributes correctly reflect this intent? Proposed Standard, which is appropriate for a new HTTP authentication scheme. 12. Have reasonable efforts been made to remind all authors of the intellectual property rights (IPR) disclosure obligations described in [BCP 79][7]? To the best of your knowledge, have all required disclosures been filed? If not, explain why. If yes, summarize any relevant discussion, including links to publicly-available messages when applicable. Yes, all authors have confirmed that they are not aware for any relevant IPR, via email. 13. Has each author, editor, and contributor shown their willingness to be listed as such? If the total number of authors and editors on the front page is greater than five, please provide a justification. Yes, all authors confirmed they are willing to be listed. 14. Document any remaining I-D nits in this document. Simply running the [idnits tool][8] is not enough; please review the ["Content Guidelines" on authors.ietf.org][15]. (Also note that the current idnits tool generates some incorrect warnings; a rewrite is underway.) No nits found. 15. Should any informative references be normative or vice-versa? See the [IESG Statement on Normative and Informative References][16]. No, not in my opinion. 16. List any normative references that are not freely available to anyone. Did the community have sufficient access to review any such normative references? No such references 17. Are there any normative downward references (see [RFC 3967][9] and [BCP 97][10]) that are not already listed in the [DOWNREF registry][17]? If so, list them. No, all are listed in the downref registry 18. Are there normative references to documents that are not ready to be submitted to the IESG for publication or are otherwise in an unclear state? If so, what is the plan for their completion? No such references. 19. Will publication of this document change the status of any existing RFCs? If so, does the Datatracker metadata correctly reflect this and are those RFCs listed on the title page, in the abstract, and discussed in the introduction? If not, explain why and point to the part of the document where the relationship of this document to these other RFCs is discussed. No updates to other RFCs 20. Describe the document shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all aspects of the document requiring IANA assignments are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that each newly created IANA registry specifies its initial contents, allocations procedures, and a reasonable name (see [RFC 8126][11]). The IANA Considerations register three new values in three existing registries. These are clear and appropriate registrations. 21. List any new IANA registries that require Designated Expert Review for future allocations. Are the instructions to the Designated Expert clear? Please include suggestions of designated experts, if appropriate. No new registries. [1]: https://www.ietf.org/about/groups/iesg/ [2]: https://www.rfc-editor.org/rfc/rfc4858.html [3]: https://www.rfc-editor.org/rfc/rfc7942.html [4]: https://wiki.ietf.org/group/ops/yang-review-tools [5]: https://www.rfc-editor.org/rfc/rfc8342.html [6]: https://wiki.ietf.org/group/iesg/ExpertTopics [7]: https://www.rfc-editor.org/info/bcp79 [8]: https://www.ietf.org/tools/idnits/ [9]: https://www.rfc-editor.org/rfc/rfc3967.html [10]: https://www.rfc-editor.org/info/bcp97 [11]: https://www.rfc-editor.org/rfc/rfc8126.html [12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5 [13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1 [14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2 [15]: https://authors.ietf.org/en/content-guidelines-overview [16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ [17]: https://datatracker.ietf.org/doc/downref/ |
2024-07-23
|
09 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-09.txt |
2024-07-23
|
09 | David Schinazi | New version approved |
2024-07-23
|
09 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2024-07-23
|
09 | David Schinazi | Uploaded new revision |
2024-07-05
|
08 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-08.txt |
2024-07-05
|
08 | David Schinazi | New version approved |
2024-07-05
|
08 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2024-07-05
|
08 | David Schinazi | Uploaded new revision |
2024-06-28
|
07 | Tommy Pauly | Notification list changed to tpauly@apple.com because the document shepherd was set |
2024-06-28
|
07 | Tommy Pauly | Document shepherd changed to Tommy Pauly |
2024-06-28
|
07 | Tommy Pauly | Tag Revised I-D Needed - Issue raised by WGLC set. |
2024-06-28
|
07 | Tommy Pauly | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2024-06-28
|
07 | Tommy Pauly | Changed consensus to Yes from Unknown |
2024-06-28
|
07 | Tommy Pauly | Intended Status changed to Proposed Standard from None |
2024-06-28
|
07 | Tommy Pauly | Intended Status changed to Proposed Standard from None |
2024-06-11
|
07 | Mark Nottingham | IETF WG state changed to In WG Last Call from WG Document |
2024-06-04
|
07 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-07.txt |
2024-06-04
|
07 | David Schinazi | New version approved |
2024-06-04
|
07 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2024-06-04
|
07 | David Schinazi | Uploaded new revision |
2024-01-23
|
06 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-06.txt |
2024-01-23
|
06 | David Schinazi | New version approved |
2024-01-23
|
06 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2024-01-23
|
06 | David Schinazi | Uploaded new revision |
2023-10-20
|
05 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-05.txt |
2023-10-20
|
05 | David Schinazi | New version approved |
2023-10-20
|
05 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2023-10-20
|
05 | David Schinazi | Uploaded new revision |
2023-06-28
|
04 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-04.txt |
2023-06-28
|
04 | David Schinazi | New version approved |
2023-06-28
|
04 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2023-06-28
|
04 | David Schinazi | Uploaded new revision |
2023-06-28
|
03 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-03.txt |
2023-06-28
|
03 | David Schinazi | New version approved |
2023-06-28
|
03 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2023-06-28
|
03 | David Schinazi | Uploaded new revision |
2023-03-13
|
02 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-02.txt |
2023-03-13
|
02 | David Schinazi | New version approved |
2023-03-13
|
02 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2023-03-13
|
02 | David Schinazi | Uploaded new revision |
2023-03-13
|
01 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-01.txt |
2023-03-13
|
01 | David Schinazi | New version approved |
2023-03-13
|
01 | (System) | Request for posting confirmation emailed to previous authors: David Oliver , David Schinazi , Jonathan Hoyland |
2023-03-13
|
01 | David Schinazi | Uploaded new revision |
2023-02-24
|
00 | Mark Nottingham | This document now replaces draft-schinazi-httpbis-unprompted-auth instead of None |
2023-02-24
|
00 | David Schinazi | New version available: draft-ietf-httpbis-unprompted-auth-00.txt |
2023-02-24
|
00 | Mark Nottingham | WG -00 approved |
2023-02-24
|
00 | David Schinazi | Set submitter to "David Schinazi ", replaces to draft-schinazi-httpbis-unprompted-auth and sent approval email to group chairs: httpbis-chairs@ietf.org |
2023-02-24
|
00 | David Schinazi | Uploaded new revision |