Skip to main content

RESTful Hypertext Transfer Protocol Application-Layer Authentication Using Generic Security Services

Document Type Expired Internet-Draft (individual)
Author Nicolás Williams
Last updated 2013-01-16 (Latest revision 2012-07-15)
Stream (None)
Intended RFC status (None)
Expired & archived
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes an application-layer authentication protocol in Hypertext Transfer Protocol (HTTP) applications using Generic Security Services Application Programming Interface (GSS-API) mechanisms. The GSS-API is used, for simplicity, via the Simple Authentication and Security Layers (SASL) mechanism bridge known as "GS2". This approach to authentication allows for simplicity, pluggability, mutual authentication, and channel binding, all with no changes to any vbe ersion of HTTP nor the Transport Layer Security (TLS). Although this is an application-layer protocol, we hope that it will be implemented in HTTP stacks for ease of use. That is, this protocol should be implemented at the HTTP application programming interface (API) layer wherever possible even though it is an application-layer protocol. We hope that the use of authentication at the application layer will make REST-GSS deployable.


Nicolás Williams

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)