The 'Basic' HTTP Authentication Scheme
draft-ietf-httpauth-basicauth-update-07
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2015-09-21
|
07 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2015-09-11
|
07 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2015-08-20
|
07 | (System) | RFC Editor state changed to RFC-EDITOR from REF |
2015-06-11
|
07 | (System) | RFC Editor state changed to REF from EDIT |
2015-06-01
|
07 | (System) | RFC Editor state changed to EDIT from MISSREF |
2015-03-17
|
07 | Meral Shirazipour | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Meral Shirazipour. |
2015-03-04
|
07 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2015-03-04
|
07 | Cindy Morgan | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2015-03-04
|
07 | (System) | RFC Editor state changed to MISSREF |
2015-03-04
|
07 | (System) | Announcement was received by RFC Editor |
2015-03-03
|
07 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2015-03-03
|
07 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2015-03-03
|
07 | (System) | IANA Action state changed to In Progress |
2015-03-03
|
07 | Cindy Morgan | IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2015-03-03
|
07 | Cindy Morgan | IESG has approved the document |
2015-03-03
|
07 | Cindy Morgan | Closed "Approve" ballot |
2015-03-03
|
07 | Cindy Morgan | Ballot approval text was generated |
2015-03-03
|
07 | Kathleen Moriarty | [Ballot comment] Thank you to the HTTPAuth working group and the editor of this draft, Julian, for your work on this update. A number of … [Ballot comment] Thank you to the HTTPAuth working group and the editor of this draft, Julian, for your work on this update. A number of good suggestions were made in the SecDir review, however some would be better in a separate draft. As a result, this draft incorporates several of the suggestions and there is an opportunity for future work to cover the additional security considerations. http://www.ietf.org/mail-archive/web/secdir/current/msg05460.html |
2015-03-03
|
07 | Kathleen Moriarty | [Ballot Position Update] Position for Kathleen Moriarty has been changed to Yes from Discuss |
2015-03-02
|
07 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Daniel Gillmor. |
2015-02-28
|
07 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2015-02-28
|
07 | Julian Reschke | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2015-02-28
|
07 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-07.txt |
2015-02-19
|
06 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from Waiting for AD Go-Ahead |
2015-02-19
|
06 | Kathleen Moriarty | Changed consensus to Yes from Unknown |
2015-02-19
|
06 | Kathleen Moriarty | [Ballot discuss] I'd like to make sure a few comments get addressed and text gets updated from the SecDir review. This should get resolved quickly, … [Ballot discuss] I'd like to make sure a few comments get addressed and text gets updated from the SecDir review. This should get resolved quickly, but I wanted to make sure there was a placeholder so the comments don't go unaddressed. The author has been very responsive, so I don't think that is an issue. http://www.ietf.org/mail-archive/web/secdir/current/msg05460.html |
2015-02-19
|
06 | Kathleen Moriarty | [Ballot Position Update] Position for Kathleen Moriarty has been changed to Discuss from Yes |
2015-02-19
|
06 | Ted Lemon | [Ballot comment] I support Pete's No Objection, and have found the responses unconvincing. I would support this being raised as a DISCUSS rather than a … [Ballot comment] I support Pete's No Objection, and have found the responses unconvincing. I would support this being raised as a DISCUSS rather than a comment, but I'll leave that to Pete. |
2015-02-19
|
06 | Ted Lemon | [Ballot Position Update] New position, No Objection, has been recorded for Ted Lemon |
2015-02-19
|
06 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2015-02-19
|
06 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2015-02-18
|
06 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2015-02-18
|
06 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2015-02-18
|
06 | Pete Resnick | [Ballot comment] 2: I'd at least like to hear an explanation about why this is unreasonable (if it is): OLD Furthermore, a user-id containing … [Ballot comment] 2: I'd at least like to hear an explanation about why this is unreasonable (if it is): OLD Furthermore, a user-id containing a colon character is invalid, as recipients will split the user-pass at the first occurrence of a colon character. Note that many user agents however will accept a colon in user-id, thereby producing a user-pass string that recipients will likely treat in a way not intended by the user. NEW Furthermore, a user-id MUST NOT contain a colon character, as recipients will split the user-pass at the first occurrence of a colon character. Many user agents will accept a colon in user-id, but this produces a user-pass string that recipients will likely treat in a way not intended by the user. END MUST NOT means that not using a colon is required for interoperation. Which is true. So I don't see why you don't come out and say that. |
2015-02-18
|
06 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2015-02-18
|
06 | Richard Barnes | [Ballot comment] The current text on the use of TLS is an OK start, but I would prefer if it were refactored so that the … [Ballot comment] The current text on the use of TLS is an OK start, but I would prefer if it were refactored so that the recommendation against Basic were general to HTTP and HTTPS. Suggested: "Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used except over a secure channel such as HTTPS [RFC2818]. Likewise, due to the risk of compromise, Basic authentication SHOULD NOT be used to protect sensitive or valuable information." Likewise, it would be good to comment in the Security Considerations on the risk of leakage caused by sending an Authorization or Proxy-Authorization preemptively. Something like: "As discussed in Section [TODO] above, it is possible for a client to preemptively send a Basic authentication value in an Authorization or Proxy-Authorization header without first having received a challenge. In such cases, the client does not know whether the resource to which it is sending the Basic authentication value is part of the realm that should receive that value, or even whether the resource requires authentication at all. This mismatch can cause leakage of client passwords to unauthorized parties, so it is RECOMMENDED that preemptive transmission of Basic authentication values be disabled by default." |
2015-02-18
|
06 | Richard Barnes | [Ballot Position Update] Position for Richard Barnes has been changed to No Objection from Discuss |
2015-02-18
|
06 | Richard Barnes | [Ballot discuss] Section 2.2 seems like a significant departure from RFC 2617, which says nothing about the scope of authentication. (1) Did the WG … [Ballot discuss] Section 2.2 seems like a significant departure from RFC 2617, which says nothing about the scope of authentication. (1) Did the WG discuss the compatibility impact of this change? Although clients might send the Authorization header preemptively, they should still be prepared to get a 401 response back. (2) Did the WG discuss the possibilities for leakage of credentials due to this change? It's not hard to imagine scenarios where, say, "http://example.com/~user1" and "http://example.com/~user2" are controlled by different entities, and leakage between them would be harmful. (3) At the very least, there needs to be (a) a mention of this change in Appendix A, and (b) a discussion of leakage through unsolicited Authorization headers in the Security Considerations. |
2015-02-18
|
06 | Richard Barnes | [Ballot comment] The current text on the use of TLS is an OK start, but I would prefer if it were refactored so that the … [Ballot comment] The current text on the use of TLS is an OK start, but I would prefer if it were refactored so that the recommendation against Basic were general to HTTP and HTTPS. "Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used except over a secure channel such as HTTPS [RFC2818]. Likewise, due to the risk of compromise, Basic authentication SHOULD NOT be used to protect sensitive or valuable information." |
2015-02-18
|
06 | Richard Barnes | [Ballot Position Update] New position, Discuss, has been recorded for Richard Barnes |
2015-02-17
|
06 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2015-02-17
|
06 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Jürgen Schönwälder. |
2015-02-17
|
06 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2015-02-17
|
06 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2015-02-17
|
06 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2015-02-17
|
06 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2015-02-17
|
06 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2015-02-17
|
06 | Spencer Dawkins | [Ballot comment] Nice job on a specification that is better than the technology it describes (echoing Stephen's ballot)! |
2015-02-17
|
06 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2015-02-17
|
06 | Barry Leiba | [Ballot comment] -- Section 1.1.1 -- This specification uses the Augmented Backus-Naur Form (ABNF) notation of [RFC5234]. Where? You do use … [Ballot comment] -- Section 1.1.1 -- This specification uses the Augmented Backus-Naur Form (ABNF) notation of [RFC5234]. Where? You do use 5234 as a reference to define CTL characters, so you need the reference. But that sentence can go. -- Section 5 -- The entry for the "Basic" Authentication Scheme shall be updated with a pointer to this specification. IANA might think this means that they should add this spec to the existing reference. It'd be clearer to say it this way, and less likely to result in an error by IANA: NEW The entry for the "Basic" Authentication Scheme shall be updated by replacing the reference with a pointer to this specification. END |
2015-02-17
|
06 | Barry Leiba | [Ballot Position Update] New position, Yes, has been recorded for Barry Leiba |
2015-02-16
|
06 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2015-02-16
|
06 | Amanda Baber | IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-httpauth-basicauth-update-05. Please report any inaccuracies and respond to any questions as soon as possible. IANA's reviewer has a question about … IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-httpauth-basicauth-update-05. Please report any inaccuracies and respond to any questions as soon as possible. IANA's reviewer has a question about this document: We understand that, upon approval of this document, there is a single action which IANA must complete. In the HTTP Authentication Schemes registry located at: http://www.iana.org/assignments/http-authschemes/ The current reference for the "Basic" Authentication Scheme shall be updated with a pointer to this specification. QUESTION: Are we replacing the current reference, or making this document an additional reference? Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. |
2015-02-16
|
06 | Stephen Farrell | [Ballot comment] This is a pretty crappy auth scheme, but this is a pretty good update and fills a need, thanks for the latter:-) - … [Ballot comment] This is a pretty crappy auth scheme, but this is a pretty good update and fills a need, thanks for the latter:-) - section 2: is it worth saying somewhere that you can't really have >1 proxy-auth happening even if you transit >1 proxy? - section 2, last para: I assume this is because client and/or server behaviour varies for this? If so, maybe it'd be good to give some guidance or add a reference (if a good one exists). If there's some other reason, it'd be good to say too. - section 4: would it be worth adding some guidance that re-use of e.g. entreprise login/SSO passwords for proxy-auth is particularly dodgy as is not protected via TLS? |
2015-02-16
|
06 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2015-02-13
|
06 | Kathleen Moriarty | Ballot has been issued |
2015-02-13
|
06 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2015-02-13
|
06 | Kathleen Moriarty | Created "Approve" ballot |
2015-02-12
|
06 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-06.txt |
2015-02-12
|
05 | Kathleen Moriarty | Ballot writeup was changed |
2015-02-12
|
05 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Daniel Gillmor |
2015-02-12
|
05 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Daniel Gillmor |
2015-02-10
|
05 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Jürgen Schönwälder |
2015-02-10
|
05 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Jürgen Schönwälder |
2015-02-05
|
05 | Jean Mahoney | Request for Last Call review by GENART is assigned to Meral Shirazipour |
2015-02-05
|
05 | Jean Mahoney | Request for Last Call review by GENART is assigned to Meral Shirazipour |
2015-02-05
|
05 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2015-02-05
|
05 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (The 'Basic' HTTP Authentication Scheme) … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (The 'Basic' HTTP Authentication Scheme) to Proposed Standard The IESG has received a request from the Hypertext Transfer Protocol Authentication WG (httpauth) to consider the following document: - 'The 'Basic' HTTP Authentication Scheme' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2015-02-19. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme, which transmits credentials as userid/password pairs, obfuscated by the use of Base64 encoding. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/ballot/ No IPR declarations have been submitted directly on this I-D. |
2015-02-05
|
05 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2015-02-05
|
05 | Kathleen Moriarty | Placed on agenda for telechat - 2015-02-19 |
2015-02-05
|
05 | Kathleen Moriarty | Last call was requested |
2015-02-05
|
05 | Kathleen Moriarty | Ballot approval text was generated |
2015-02-05
|
05 | Kathleen Moriarty | IESG state changed to Last Call Requested from Publication Requested |
2015-02-05
|
05 | Kathleen Moriarty | Last call announcement was generated |
2015-02-05
|
05 | Kathleen Moriarty | Ballot writeup was changed |
2015-02-05
|
05 | Kathleen Moriarty | Ballot writeup was generated |
2015-01-26
|
05 | Amy Vezza | Notification list changed to draft-ietf-httpauth-basicauth-update.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org, ynir.ietf@gmail.com from "Yoav Nir" <ynir.ietf@gmail.com> |
2015-01-25
|
05 | Yoav Nir | Author is Julian Reschke. Kathleen Moriarty is the responsible Area Director. Yoav Nir is the document shepherd. Summary This document defines the "Basic" Hypertext … Author is Julian Reschke. Kathleen Moriarty is the responsible Area Director. Yoav Nir is the document shepherd. Summary This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme, which transmits credentials as userid/password pairs, obfuscated by the use of Base64 encoding. Review and Consensus This document is (along with Digest) part of a set of documents that will collectively replace RFC 2617. As such, for the most part it describes existing practice, with the addition of support for internationalization: o A new charset parameter with UTF-8 as the only valid value. o A normative reference to the precis draft for valid characters. o Appendix B with deployment considerations for co-existing with legacy implementations. With version -07 it is the consensus of the HTTP-Auth working group that this document is fit to be published as a standards-track RFC. There are a few implementations of this specification, and they have been tested and shown to interoperate with the large install base of web browsers and web servers. Intellectual Property All authors have confirmed that they are not aware of any undisclosed IPR associated with this document. There have been no IPR disclosures. Other Issues None |
2015-01-25
|
05 | Yoav Nir | Responsible AD changed to Kathleen Moriarty |
2015-01-25
|
05 | Yoav Nir | IETF WG state changed to Submitted to IESG for Publication from In WG Last Call |
2015-01-25
|
05 | Yoav Nir | IESG state changed to Publication Requested |
2015-01-25
|
05 | Yoav Nir | IESG process started in state Publication Requested |
2015-01-25
|
05 | Yoav Nir | This document now replaces draft-ietf-httpauth-basicauth-enc, draft-reschke-basicauth-enc instead of None |
2015-01-25
|
05 | Yoav Nir | Changed document writeup |
2015-01-16
|
05 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-05.txt |
2014-12-19
|
04 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-04.txt |
2014-12-02
|
03 | Yoav Nir | Intended Status changed to Proposed Standard from None |
2014-12-02
|
03 | Yoav Nir | Working Group Last Call initiated December 2. Will expire December 16. |
2014-12-02
|
03 | Yoav Nir | IETF WG state changed to In WG Last Call from WG Document |
2014-12-02
|
03 | Yoav Nir | Notification list changed to "Yoav Nir" <ynir.ietf@gmail.com> |
2014-12-02
|
03 | Yoav Nir | Document shepherd changed to Yoav Nir |
2014-12-02
|
03 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-03.txt |
2014-10-27
|
02 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-02.txt |
2014-07-04
|
01 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-01.txt |
2013-09-13
|
00 | Julian Reschke | New version available: draft-ietf-httpauth-basicauth-update-00.txt |