Mutual Authentication Protocol for HTTP
draft-oiwa-http-mutualauth-11

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Last updated 2012-05-18
Replaced by draft-oiwa-httpbis-mutualauth
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                                  Y. Oiwa
Internet-Draft                                               H. Watanabe
Intended status: Standards Track                               H. Takagi
Expires: November 19, 2012                                   RISEC, AIST
                                                               B. Kihara
                                                              T. Hayashi
                                                                 Lepidum
                                                                 Y. Ioku
                                                            Yahoo! Japan
                                                            May 18, 2012

                Mutual Authentication Protocol for HTTP
                     draft-oiwa-http-mutualauth-11

Abstract

   This document specifies a mutual authentication method for the Hyper-
   text Transport Protocol (HTTP).  This method provides a true mutual
   authentication between an HTTP client and an HTTP server using
   password-based authentication.  Unlike the Basic and Digest
   authentication methods, the Mutual authentication method specified in
   this document assures the user that the server truly knows the user's
   encrypted password.  This prevents common phishing attacks: a
   phishing attacker controlling a fake website cannot convince a user
   that he authenticated to the genuine website.  Furthermore, even when
   a user authenticates to an illegitimate server, the server cannot
   gain any information about the user's password.  The Mutual
   authentication method is designed as an extension to the HTTP
   protocol, and is intended to replace the existing authentication
   methods used in HTTP (the Basic method, Digest method, and
   authentication using HTML forms).

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Oiwa, et al.            Expires November 19, 2012               [Page 1]
Internet-Draft   Mutual Authentication Protocol for HTTP        May 2012

   This Internet-Draft will expire on November 19, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Oiwa, et al.            Expires November 19, 2012               [Page 2]
Internet-Draft   Mutual Authentication Protocol for HTTP        May 2012

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
     1.1.  Relations to other technologies  . . . . . . . . . . . . .  6
       1.1.1.  Technologies updated or superceded by this proposal  .  6
         1.1.1.1.  HTTP Basic and Digest authentication . . . . . . .  6
         1.1.1.2.  HTML Form authentication . . . . . . . . . . . . .  6
       1.1.2.  Technologies not updated by this proposal  . . . . . .  7
         1.1.2.1.  Federated identity/authorization management  . . .  7
         1.1.2.2.  HTTPS and HTTPS client-certificate
                   authentication . . . . . . . . . . . . . . . . . .  8
         1.1.2.3.  Relationship with local identity-management
                   frameworks . . . . . . . . . . . . . . . . . . . .  8
         1.1.2.4.  HTTP and HTTP authentication architecture  . . . .  8
     1.2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  9
     1.3.  Document Structure and Related Documents . . . . . . . . .  9
   2.  Protocol Overview  . . . . . . . . . . . . . . . . . . . . . . 10
     2.1.  Messages Overview  . . . . . . . . . . . . . . . . . . . . 10
     2.2.  Typical Flows of the Protocol  . . . . . . . . . . . . . . 11
     2.3.  Alternative Flows  . . . . . . . . . . . . . . . . . . . . 14
   3.  Message Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15
     3.1.  Values . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Show full document text