HTTP Digest Access Authentication
draft-ietf-httpauth-digest-19
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2015-09-28
|
19 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2015-09-11
|
19 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2015-08-20
|
19 | (System) | RFC Editor state changed to RFC-EDITOR from REF |
2015-06-17
|
19 | (System) | RFC Editor state changed to REF from EDIT |
2015-06-01
|
19 | (System) | RFC Editor state changed to EDIT from MISSREF |
2015-05-01
|
19 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on Authors |
2015-04-30
|
19 | (System) | IANA Action state changed to Waiting on Authors |
2015-04-28
|
19 | Amy Vezza | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2015-04-28
|
19 | (System) | RFC Editor state changed to MISSREF |
2015-04-28
|
19 | (System) | Announcement was received by RFC Editor |
2015-04-27
|
19 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2015-04-27
|
19 | Amy Vezza | IESG has approved the document |
2015-04-27
|
19 | Amy Vezza | Closed "Approve" ballot |
2015-04-27
|
19 | Amy Vezza | Ballot approval text was generated |
2015-04-27
|
19 | Amy Vezza | IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup |
2015-04-24
|
19 | Kathleen Moriarty | [Ballot comment] IANA questions have been addressed. |
2015-04-24
|
19 | Kathleen Moriarty | [Ballot Position Update] Position for Kathleen Moriarty has been changed to Yes from Discuss |
2015-04-23
|
19 | Rifaat Shekh-Yusef | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2015-04-23
|
19 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-19.txt |
2015-04-23
|
18 | Cindy Morgan | IESG state changed to IESG Evaluation::AD Followup from IESG Evaluation |
2015-04-23
|
18 | Francis Dupont | Request for Telechat review by GENART Completed: Ready. Reviewer: Francis Dupont. |
2015-04-23
|
18 | Kathleen Moriarty | [Ballot discuss] Holding a discuss for IANA. |
2015-04-23
|
18 | Kathleen Moriarty | [Ballot Position Update] Position for Kathleen Moriarty has been changed to Discuss from Yes |
2015-04-23
|
18 | Cindy Morgan | Changed consensus to Yes from Unknown |
2015-04-22
|
18 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2015-04-22
|
18 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2015-04-22
|
18 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2015-04-22
|
18 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2015-04-21
|
18 | Ben Campbell | [Ballot comment] Just a few minor comments: 3.3, domain: "If the URI is an abs_path..." Should that be "path-absolute", in keeping with the reference to … [Ballot comment] Just a few minor comments: 3.3, domain: "If the URI is an abs_path..." Should that be "path-absolute", in keeping with the reference to 3986? 3.6, paragraph 4: "Because the client is REQUIRED to return..." The use of a 2119 keyword in a dependent clause seems odd. 5.1: "Digest authentication SHOULD be used over a secure channel like HTTPS" Does this mean that, if you have a secure channel you should use digest, or if you use digest you should use a a secure channel? I assume the second, but the sentence can be parsed either way. |
2015-04-21
|
18 | Ben Campbell | [Ballot Position Update] New position, Yes, has been recorded for Ben Campbell |
2015-04-21
|
18 | (System) | IANA Review state changed to IANA - Not OK from Version Changed - Review Needed |
2015-04-21
|
18 | Stephen Farrell | [Ballot comment] I'm a yes on this, not because it's great technology (it just isn't;-), but because it is a valiant effort to do responsible … [Ballot comment] I'm a yes on this, not because it's great technology (it just isn't;-), but because it is a valiant effort to do responsible updates to a scheme that is used somewhat. Thanks for doing the work. - The intro could usefully say that this extends but is generally backwards compatible with 2617 if you don't use any new stuff and include a pointer to appendix A as well. - p5, "nonce": "data string" is an odd combination - p6, "stale": Is "TRUE" the literal value? What if it's "1" or "y" - just wondering in case current code does something there. Section 3.3 (and elsewhere) uses "true" and "false" which aren't the same as TRUE and FALSE (or are they?) It'd be good to be consistent or to say that we're not being consistent, presumably for historical reasons. - end of 3.4: is there a specific section of 7234 that's most relevant? If so, good to say so. - 5.3, you could maybe add a reference to RFC7486 at the end of the 1st para (that is blatent self-advertisement, but I couldn't resist:-) - 5.6, is the "note" about Basic still true? I thought Julian or someone tested it and found it not quite so bad? - I think something went wrong with the secdir review [1] but I'd also encourage us to try to bottom out on Hilarie's comments. There may be something there that could be used, without any damage to backwards compatibility, which would be interesting. [1] https://www.ietf.org/mail-archive/web/secdir/current/msg05621.html |
2015-04-21
|
18 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2015-04-21
|
18 | Terry Manderson | [Ballot comment] A simple comment to resolve, I would think - avoid using actual DNS domains. Please use example.com, or at least provide rational … [Ballot comment] A simple comment to resolve, I would think - avoid using actual DNS domains. Please use example.com, or at least provide rational as to why example.com/net can't be used. |
2015-04-21
|
18 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2015-04-21
|
18 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2015-04-20
|
18 | Barry Leiba | [Ballot Position Update] New position, Yes, has been recorded for Barry Leiba |
2015-04-20
|
18 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2015-04-20
|
18 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2015-04-19
|
18 | Joel Jaeggli | [Ballot comment] testrealm.com is of course a domain that actually exists... testrealm.example.org/com would seem fine. |
2015-04-19
|
18 | Joel Jaeggli | Ballot comment text updated for Joel Jaeggli |
2015-04-19
|
18 | Joel Jaeggli | [Ballot comment] testrealm.com is of course a domain that actually exists... testrealm.example.org would seem fine. |
2015-04-19
|
18 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2015-04-19
|
18 | Kathleen Moriarty | IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead |
2015-04-19
|
18 | Kathleen Moriarty | Ballot has been issued |
2015-04-19
|
18 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2015-04-19
|
18 | Kathleen Moriarty | Created "Approve" ballot |
2015-04-16
|
18 | Jean Mahoney | Request for Telechat review by GENART is assigned to Francis Dupont |
2015-04-16
|
18 | Jean Mahoney | Request for Telechat review by GENART is assigned to Francis Dupont |
2015-04-10
|
18 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-18.txt |
2015-04-09
|
17 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Scott Bradner. |
2015-04-09
|
17 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Hilarie Orman. |
2015-04-08
|
17 | Kathleen Moriarty | Placed on agenda for telechat - 2015-04-23 |
2015-04-07
|
17 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-17.txt |
2015-04-06
|
16 | Francis Dupont | Request for Last Call review by GENART Completed: Ready. Reviewer: Francis Dupont. |
2015-04-03
|
16 | Rifaat Shekh-Yusef | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2015-04-03
|
16 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-16.txt |
2015-04-02
|
15 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2015-04-01
|
15 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2015-04-01
|
15 | Amanda Baber | IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-httpauth-digest-15. Please see the review below and report any inaccuracies as soon as possible. IANA's reviewer has a question about … IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-httpauth-digest-15. Please see the review below and report any inaccuracies as soon as possible. IANA's reviewer has a question about the action requested in the IANA Considerations section of this document. QUESTION: Where should the new registry be located? Should it be created at a new URL? If so, should it be listed under an existing category at http://www.iana.org/protocols, or a new one? If the latter, what should be the name of the category? Should the webpage have the same title? (This is typically, but not always, the case.) IANA understands that, upon approval of this document, there are two actions which IANA must complete. First, IANA will create the HTTP Digest Hash Algorithms registry at a location to be determined (see above). The registry will be maintained via the Specification Required policy defined in RFC 5226. Initial registrations: +----------------+-------------+----------------+ | Hash Algorithm | Digest Size | Reference | +----------------+-------------+----------------+ | MD5 | 128 | [ RFC-to-be ] | | SHA-512-256 | 256 | [ RFC-to-be ] | | SHA-256 | 256 | [ RFC-to-be ] | +----------------+-------------+----------------+ Second, in the HTTP Authentication Schemes registry at https://www.iana.org/assignments/http-authschemes/ a new scheme will be registered as follows: Authentication Scheme Name: Digest Reference: [ RFC-to-be ] Notes: Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. |
2015-03-26
|
15 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Hilarie Orman |
2015-03-26
|
15 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Hilarie Orman |
2015-03-26
|
15 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'Withdrawn' |
2015-03-26
|
15 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2015-03-26
|
15 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2015-03-21
|
15 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Scott Bradner |
2015-03-21
|
15 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Scott Bradner |
2015-03-19
|
15 | Jean Mahoney | Request for Last Call review by GENART is assigned to Francis Dupont |
2015-03-19
|
15 | Jean Mahoney | Request for Last Call review by GENART is assigned to Francis Dupont |
2015-03-19
|
15 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2015-03-19
|
15 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (HTTP Digest Access Authentication) to … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (HTTP Digest Access Authentication) to Proposed Standard The IESG has received a request from the Hypertext Transfer Protocol Authentication WG (httpauth) to consider the following document: - 'HTTP Digest Access Authentication' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2015-04-02. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract HTTP provides a simple challenge-response authentication mechanism that may be used by a server to challenge a client request and by a client to provide authentication information. This document defines the HTTP Digest Authentication scheme that can be used with the HTTP authentication mechanism. Editorial Note (To be removed by RFC Editor before publication) Discussion of this draft takes place on the HTTPAuth working group mailing list (http-auth@ietf.org), which is archived at [1]. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-httpauth-digest/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-httpauth-digest/ballot/ No IPR declarations have been submitted directly on this I-D. |
2015-03-19
|
15 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2015-03-19
|
15 | Kathleen Moriarty | Ballot writeup was changed |
2015-03-19
|
15 | Kathleen Moriarty | Last call was requested |
2015-03-19
|
15 | Kathleen Moriarty | Ballot approval text was generated |
2015-03-19
|
15 | Kathleen Moriarty | IESG state changed to Last Call Requested from AD Evaluation |
2015-03-19
|
15 | Kathleen Moriarty | Last call announcement was generated |
2015-03-19
|
15 | Kathleen Moriarty | Last call announcement was generated |
2015-03-19
|
15 | Kathleen Moriarty | Ballot writeup was changed |
2015-03-19
|
15 | Kathleen Moriarty | Ballot writeup was generated |
2015-03-19
|
15 | Kathleen Moriarty | IESG state changed to AD Evaluation from Publication Requested |
2015-03-10
|
15 | Amy Vezza | Notification list changed to draft-ietf-httpauth-digest.ad@ietf.org, ynir.ietf@gmail.com, httpauth-chairs@ietf.org, http-auth@ietf.org, draft-ietf-httpauth-digest.shepherd@ietf.org, draft-ietf-httpauth-digest@ietf.org from "Yoav Nir" <ynir.ietf@gmail.com> |
2015-03-10
|
15 | Yoav Nir | Authors are Rifaat Shekh-Yusef, David Ahrens, and Sophie Bremer. Kathleen Moriarty is the responsible Area Director. Yoav Nir is the document shepherd. Summary HTTP … Authors are Rifaat Shekh-Yusef, David Ahrens, and Sophie Bremer. Kathleen Moriarty is the responsible Area Director. Yoav Nir is the document shepherd. Summary HTTP provides a simple challenge-response authentication mechanism that may be used by a server to challenge a client request and by a client to provide authentication information. This document defines the HTTP Digest Authentication scheme that can be used with the HTTP authentication mechanism. Review and Consensus This document is (along with the already-approved basicauth-update) part of a set of documents that will collectively replace RFC 2617. As such, for the most part it describes existing practice, with the addition of a few things: o New algorithms: SHA2-256 and SHA2-512/256. o Internationalized character set support. o username hashing for enhanced privacy, While the working group was chartered to add the new algorithms and internationalization support, the addition of user name hashing is not in the charter. The group was specifically polled about whether we wanted to add features to a legacy protocol that is anyway vulnerable to dictionary attacks. The group consensus was that this should be done. With version -15 it is the consensus of the HTTP-Auth working group that this document is fit to be published as a standards-track RFC. Intellectual Property All authors have confirmed that they are not aware of any undisclosed IPR associated with this document. There have been no IPR disclosures. Other Issues None |
2015-03-10
|
15 | Yoav Nir | Responsible AD changed to Kathleen Moriarty |
2015-03-10
|
15 | Yoav Nir | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2015-03-10
|
15 | Yoav Nir | IESG state changed to Publication Requested |
2015-03-10
|
15 | Yoav Nir | IESG process started in state Publication Requested |
2015-03-10
|
15 | Yoav Nir | Tag Doc Shepherd Follow-up Underway cleared. |
2015-03-10
|
15 | Yoav Nir | Intended Status changed to Proposed Standard from None |
2015-03-09
|
15 | Yoav Nir | Changed document writeup |
2015-03-09
|
15 | Yoav Nir | Tag Doc Shepherd Follow-up Underway set. |
2015-03-09
|
15 | Yoav Nir | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2015-03-09
|
15 | Yoav Nir | Notification list changed to "Yoav Nir" <ynir.ietf@gmail.com> |
2015-03-09
|
15 | Yoav Nir | Document shepherd changed to Yoav Nir |
2015-03-05
|
15 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-15.txt |
2015-02-18
|
14 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-14.txt |
2015-02-03
|
13 | Yoav Nir | IETF WG state changed to In WG Last Call from WG Document |
2015-02-02
|
13 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-13.txt |
2015-01-22
|
12 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-12.txt |
2015-01-20
|
11 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-11.txt |
2015-01-10
|
10 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-10.txt |
2014-12-09
|
09 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-09.txt |
2014-08-23
|
08 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-08.txt |
2014-04-26
|
07 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-07.txt |
2014-04-09
|
06 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-06.txt |
2014-02-12
|
05 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-05.txt |
2014-01-19
|
04 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-04.txt |
2014-01-19
|
03 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-03.txt |
2014-01-18
|
02 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-02.txt |
2014-01-01
|
01 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-01.txt |
2013-10-07
|
00 | Rifaat Shekh-Yusef | New version available: draft-ietf-httpauth-digest-00.txt |