Mutual Authentication Protocol for HTTP
RFC 8120
| Document | Type | RFC - Experimental (April 2017; No errata) | |
|---|---|---|---|
| Authors | Yutaka Oiwa , Hajime Watanabe , Hiromitsu Takagi , Kaoru Maeda , Tatsuya Hayashi , Yuichi Ioku | ||
| Last updated | 2017-04-11 | ||
| Replaces | draft-oiwa-httpbis-mutualauth | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Rifaat Shekh-Yusef | ||
| Shepherd write-up | Show (last changed 2016-07-17) | ||
| IESG | IESG state | RFC 8120 (Experimental) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Kathleen Moriarty | ||
| Send notices to | "Rifaat Shekh-Yusef" <rifaat.ietf@gmail.com> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | RFC-Ed-Ack | ||
Internet Engineering Task Force (IETF) Y. Oiwa
Request for Comments: 8120 H. Watanabe
Category: Experimental H. Takagi
ISSN: 2070-1721 ITRI, AIST
K. Maeda
Individual Contributor
T. Hayashi
Lepidum
Y. Ioku
Individual Contributor
April 2017
Mutual Authentication Protocol for HTTP
Abstract
This document specifies an authentication scheme for the Hypertext
Transfer Protocol (HTTP) that is referred to as either the Mutual
authentication scheme or the Mutual authentication protocol. This
scheme provides true mutual authentication between an HTTP client and
an HTTP server using password-based authentication. Unlike the Basic
and Digest authentication schemes, the Mutual authentication scheme
specified in this document assures the user that the server truly
knows the user's encrypted password.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8120.
Oiwa, et al. Experimental [Page 1]
RFC 8120 Mutual Authentication Protocol for HTTP April 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Terminology ................................................5
1.2. Document Structure and Related Documents ...................6
2. Protocol Overview ...............................................6
2.1. Messages ...................................................7
2.2. Typical Flows of the Protocol ..............................8
2.3. Alternative Flows .........................................10
3. Message Syntax .................................................12
3.1. Non-ASCII Extended Header Parameters ......................12
3.2. Values ....................................................13
3.2.1. Tokens .............................................13
3.2.2. Strings ............................................14
3.2.3. Numbers ............................................14
4. Messages .......................................................15
4.1. 401-INIT and 401-STALE ....................................16
4.2. req-KEX-C1 ................................................19
4.3. 401-KEX-S1 ................................................19
4.4. req-VFY-C .................................................20
4.5. 200-VFY-S .................................................21
5. Authentication Realms ..........................................21
5.1. Resolving Ambiguities .....................................23
6. Session Management .............................................24
7. Host Validation Methods ........................................26
7.1. Applicability Notes .......................................27
7.2. Notes on "tls-unique" .....................................28
8. Authentication Extensions ......................................28
9. String Preparation .............................................29
Show full document text