%% You should probably cite rfc8120 instead of this I-D. @techreport{ietf-httpauth-mutual-00, number = {draft-ietf-httpauth-mutual-00}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-httpauth-mutual/00/}, author = {Yutaka Oiwa and Hajime Watanabe and Hiromitsu Takagi and Boku Kihara and Tatsuya Hayashi and Yuichi Ioku}, title = {{Mutual Authentication Protocol for HTTP}}, pagetotal = 53, year = 2013, month = jul, day = 1, abstract = {This document specifies a mutual authentication method for the Hyper- text Transport Protocol (HTTP). This method provides a true mutual authentication between an HTTP client and an HTTP server using password-based authentication. Unlike the Basic and Digest authentication methods, the Mutual authentication method specified in this document assures the user that the server truly knows the user's encrypted password. This prevents common phishing attacks: a phishing attacker controlling a fake website cannot convince a user that he authenticated to the genuine website. Furthermore, even when a user authenticates to an illegitimate server, the server cannot gain any information about the user's password. The Mutual authentication method is designed as an extension to the HTTP protocol, and is intended to replace the existing authentication methods used in HTTP (the Basic method, Digest method, and authentication using HTML forms).}, }