Skip to main content

Mutual Authentication Protocol for HTTP
draft-oiwa-http-mutualauth-12

Document Type Replaced Internet-Draft (candidate for httpauth WG)
Expired & archived
Authors Yutaka Oiwa , Hajime Watanabe , Hiromitsu Takagi , Boku Kihara, Tatsuya Hayashi , Yuichi Ioku
Last updated 2013-04-10 (Latest revision 2012-06-04)
Replaced by draft-oiwa-httpbis-mutualauth
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Additional resources Mailing list discussion
Stream WG state Call For Adoption By WG Issued
Document shepherd (None)
IESG IESG state Replaced by draft-oiwa-httpbis-mutualauth
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document specifies a mutual authentication method for the Hyper- text Transport Protocol (HTTP). This method provides a true mutual authentication between an HTTP client and an HTTP server using password-based authentication. Unlike the Basic and Digest authentication methods, the Mutual authentication method specified in this document assures the user that the server truly knows the user's encrypted password. This prevents common phishing attacks: a phishing attacker controlling a fake website cannot convince a user that he authenticated to the genuine website. Furthermore, even when a user authenticates to an illegitimate server, the server cannot gain any information about the user's password. The Mutual authentication method is designed as an extension to the HTTP protocol, and is intended to replace the existing authentication methods used in HTTP (the Basic method, Digest method, and authentication using HTML forms).

Authors

Yutaka Oiwa
Hajime Watanabe
Hiromitsu Takagi
Boku Kihara
Tatsuya Hayashi
Yuichi Ioku

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)