Skip to main content

HTTP Unprompted Authentication

Document Type Replaced Internet-Draft (candidate for httpbis WG)
Expired & archived
Authors David Schinazi , David Oliver , Jonathan Hoyland
Last updated 2023-02-06 (Latest revision 2023-02-03)
Replaces draft-schinazi-httpbis-transport-auth
Replaced by draft-ietf-httpbis-unprompted-auth
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Call For Adoption By WG Issued
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-httpbis-unprompted-auth
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


Existing HTTP authentication mechanisms are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic schemes (such as signatures or message authentication codes) require a fresh nonce to be signed, and there is no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme.


David Schinazi
David Oliver
Jonathan Hoyland

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)