Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2
RFC 4169

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>
Subject: Document Action: 'Hypertext Transfer Protocol (HTTP) 
         Digest Authentication Using Authentication and Key Agreement 
         (AKA) Version-2' to Informational RFC 

The IESG has approved the following document:

- 'Hypertext Transfer Protocol (HTTP) Digest Authentication Using 
   Authentication and Key Agreement (AKA) Version-2 '
   <draft-torvinen-http-digest-aka-v2-03.txt> as an Informational RFC

This document has been reviewed in the IETF but is not the product of an
IETF Working Group. 

The IESG contact person is Allison Mankin.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-torvinen-http-digest-aka-v2-03.txt

RFC Editor Note

Abstract

OLD:

   
  HTTP Digest as specified in [4] is known to be vulnerable to
   man-in-the-middle attacks if the client fails to authenticate the
   server in TLS, or if the same passwords are used for authentication
   in some other context without TLS.  This is a general problem that
   exist not just with HTTP Digest but also with other IETF protocols
   that use tunneled authentication.  This document specifies version 2
   of the HTTP Digest AKA algorithm [6].  This algorithm can be
   implemented in a way that it is resistant to the man-in-the-middle
   attack.

NEW:

   HTTP Digest as specified in RFC 2617 is known to be vulnerable to
   man-in-the-middle attacks if the client fails to authenticate the
   server in TLS, or if the same passwords are used for authentication
   in some other context without TLS.  This is a general problem that
   exist not just with HTTP Digest but also with other IETF protocols
   that use tunneled authentication.  This document specifies version 2
   of the HTTP Digest AKA algorithm (RFC 3310).  This algorithm can be
   implemented in a way that it is resistant to the man-in-the-middle
   attack.