HTTP Digest Access Authentication
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: RFC Editor <firstname.lastname@example.org>, httpauth mailing list <email@example.com>, httpauth chair <firstname.lastname@example.org> Subject: Protocol Action: 'HTTP Digest Access Authentication' to Proposed Standard (draft-ietf-httpauth-digest-19.txt) The IESG has approved the following document: - 'HTTP Digest Access Authentication' (draft-ietf-httpauth-digest-19.txt) as Proposed Standard This document is the product of the Hypertext Transfer Protocol Authentication Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-httpauth-digest/
Technical Summary HTTP provides a simple challenge-response authentication mechanism that may be used by a server to challenge a client request and by a client to provide authentication information. This document defines the HTTP Digest Authentication scheme that can be used with the HTTP authentication mechanism. The combination of this document with the definition of the "Basic" authentication scheme [BASIC], "The Hypertext Transfer Protocol (HTTP) Authentication-Info and Proxy-Authentication-Info Response Header Fields" [AUTHINFO], and [RFC7235] obsolete [RFC2617]. Working Group Summary There is WG consensus for this draft. For the most part it describes existing practice, with the addition of a few things: o New algorithms: SHA2-256 and SHA2-512/256. o Internationalized character set support. o username hashing for enhanced privacy, While the working group was chartered to add the new algorithms and internationalization support, the addition of user name hashing is not in the charter. The group was specifically polled about whether they wanted to add features to a legacy protocol that is anyway vulnerable to dictionary attacks. The group consensus was that this should be done. With version -15 it is the consensus of the HTTP-Auth working group that this document is fit to be published as a standards-track RFC. Document Quality There are no implementations that include these updates yet. Personnel The Document Shepherd is Yoav Nir and the Responsible Area Director is Kathleen Moriarty. IANA Note This draft creates a registry using the 5226 "Specification Required" registration policy. IANA maintains the registry of HTTP Authentication Schemes ([RFC7235]) at <http://www.iana.org/assignments/http-authschemes> and the entry for the "Digest" Authentication Scheme is to be added with a pointer to this specification.