HTTP Digest Access Authentication
RFC 7616

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    httpauth mailing list <>,
    httpauth chair <>
Subject: Protocol Action: 'HTTP Digest Access Authentication' to Proposed Standard (draft-ietf-httpauth-digest-19.txt)

The IESG has approved the following document:
- 'HTTP Digest Access Authentication'
  (draft-ietf-httpauth-digest-19.txt) as Proposed Standard

This document is the product of the Hypertext Transfer Protocol
Authentication Working Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:

Technical Summary

   HTTP provides a simple challenge-response authentication mechanism
   that may be used by a server to challenge a client request and by a
   client to provide authentication information.  This document defines
   the HTTP Digest Authentication scheme that can be used with the HTTP
   authentication mechanism.

  The combination of this document with the definition of the "Basic"
   authentication scheme [BASIC], "The Hypertext Transfer Protocol
   (HTTP) Authentication-Info and Proxy-Authentication-Info Response
   Header Fields" [AUTHINFO], and [RFC7235] obsolete [RFC2617].

Working Group Summary

   There is WG consensus for this draft.  For the most part it describes
   existing practice, with the addition of a few things: 
    o New algorithms: SHA2-256 and SHA2-512/256.
    o Internationalized character set support.
    o username hashing for enhanced privacy,
   While the working group was chartered to add the new algorithms and 
   internationalization support, the addition of user name hashing is
   not in the charter. The group was specifically polled about whether 
   they wanted to add features to a legacy protocol that is anyway 
   vulnerable to dictionary attacks. The group consensus was that this 
   should be done.
   With version -15 it is the consensus of the HTTP-Auth working group 
   that this document is fit to be published as a standards-track RFC.

Document Quality

   There are no implementations that include these updates yet.


   The Document Shepherd is Yoav Nir  and the
   Responsible Area Director is Kathleen Moriarty.  


   This draft creates a registry using the 5226 "Specification Required"
   registration policy.
    IANA maintains the registry of HTTP Authentication Schemes
    ([RFC7235]) at <>
    and the entry for the "Digest" Authentication Scheme is to be added with
    a pointer to this specification.