Considerations for Web Transaction Security
RFC 2084

Document Type RFC - Informational (January 1997; No errata)
Authors Greg Bossert  , Simon Cooper  , Walt Drummond 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2084 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         G. Bossert
Request for Comments: 2084                                     S. Cooper
Category: Informational                            Silicon Graphics Inc.
                                                             W. Drummond
                                                              IEEE, Inc.
                                                            January 1997

              Considerations for Web Transaction Security

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.


   This document specifies the requirements for the provision of
   security services to the HyperText Transport Protocol.  These
   services include confidentiality, integrity, user authentication, and
   authentication of servers/services, including proxied or gatewayed
   services.  Such services may be provided as extensions to HTTP, or as
   an encapsulating security protocol.  Secondary requirements include
   ease of integration and support of multiple mechanisms for providing
   these services.

1. Introduction

   The use of the HyperText Transport Protocol [1] to provide
   specialized or commercial services and personal or private data
   necessitates the development of secure versions that include privacy
   and authentication services.  Such services may be provided as
   extensions to HTTP, or as encapsulating security protocols; for the
   purposes of this document, all such enhancements will be referred to
   as WTS.

   In this document, we specify the requirements for WTS, with the
   intent of codifying perceived Internet-wide needs, along with
   existing practice, in a way that aids in the evaluation and
   development of such protocols.

Bossert, et. al.             Informational                      [Page 1]
RFC 2084      Considerations for Web Transaction Security   January 1997

   WTS is an enhancement to an object transport protocol.  As such, it
   does not provide independent certification of documents or other data
   objects outside of the scope of the transfer of said objects.  In
   addition, security at the WTS layer is independent of and orthogonal
   to security services provided at underlying network layers.  It is
   envisioned that WTS may coexist in a single transaction with such
   mechanisms, each providing security services at the appropriate
   level, with at worst some redundancy of service.

1.1 Terminology

   This following terms have specific meaning in the context of this
   document.  The HTTP specification [1] defines additional useful

      A complete HTTP action, consisting of a request from the
      client and a response from the server.

   Gatewayed Service:
      A service accessed, via HTTP or an alternate protocol, by the
      HTTP server on behalf of the client.

      An specific implementation of a protocol or related subset of
      features of a protocol.

2. General Requirements

   WTS must define the following services.  These services must be
   provided independently of each other and support the needs of proxies
   and intermediaries

    o Confidentiality of the HTTP request and/or response.
    o Data origin authentication and data integrity of the HTTP request
      and/or response.
    o Non-repudiability of origin for the request and/or response.
    o Transmission freshness of request and/or response.
    o Ease of integration with other features of HTTP.
    o Support of multiple mechanisms for the above services.

3. Confidentiality

   WTS must be able to provide confidentiality for both requests and
   responses.  Note: because the identity of the object being requested
   is potentially sensitive, the URI of the request should be
   confidential; this is particularly critical in the common case of
   form data or other user input being passed in the URI.

Bossert, et. al.             Informational                      [Page 2]
RFC 2084      Considerations for Web Transaction Security   January 1997

4. Service Authentication

   WTS should support the authentication of gatewayed services to the

   WTS should support the authentication of the origin HTTP server or
   gatewayed services regardless of intermediary proxy or caching

   To allow user privacy, WTS must support service authentication with
   user anonymity.

   Because the identity of the object being requested is potentially
   sensitive, service authentication should occur before any part of the
   request, including the URI of the requested object, is passed.  In
   cases where the authentication process depends on the URI (or other
   header data) of the request, such as gatewayed services, the minimum
   necessary information to identify the entity to be authenticated
   should be passed.
Show full document text