The authentication mechanism most widely deployed and used by
Internet application protocols is the transmission of clear-text
passwords over a channel protected by Transport Layer Security (TLS).
There are some significant security concerns with that mechanism,
which could be addressed by the use of a challenge response
authentication mechanism protected by TLS. Unfortunately, the HTTP
Digest challenge response mechanism presently on the standards track
failed widespread deployment, and have had success only in limited
This specification describes a family of HTTP authentication
mechanisms called the Salted Challenge Response Authentication
Mechanism (SCRAM), which addresses security concerns with HTTP Digest
and meets the deployability requirements. When used in combination
with TLS or an equivalent security layer, a mechanism from this
family could improve the status-quo for HTTP authentication.
Working Group Summary
This document is one of the experimental documents submitted to the
HTTP-Auth working group.
With version -13 it is the consensus of the HTTP-Auth working group
that this document is fit to be published as an experimental RFC.
There are few nits that must be addressed during the IETF LC review.
The proposed authentication method has been reviewed by a fair number of
There is one known implementation of this protocol.
Author: Alexey Melnikov
Shepherd: Rifaat Shekh-Yusef
Area Director: Kathleen Moriarty