Salted Challenge Response HTTP Authentication Mechanism
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: "IETF-Announce" <email@example.com> Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, Kathleen.Moriarty.firstname.lastname@example.org, email@example.com, "The IESG" <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com Subject: Document Action: 'Salted Challenge Response (SCRAM) HTTP Authentication Mechanism' to Experimental RFC (draft-ietf-httpauth-scram-auth-15.txt) The IESG has approved the following document: - 'Salted Challenge Response (SCRAM) HTTP Authentication Mechanism' (draft-ietf-httpauth-scram-auth-15.txt) as Experimental RFC This document is the product of the Hypertext Transfer Protocol Authentication Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-httpauth-scram-auth/
Technical Summary The authentication mechanism most widely deployed and used by Internet application protocols is the transmission of clear-text passwords over a channel protected by Transport Layer Security (TLS). There are some significant security concerns with that mechanism, which could be addressed by the use of a challenge response authentication mechanism protected by TLS. Unfortunately, the HTTP Digest challenge response mechanism presently on the standards track failed widespread deployment, and have had success only in limited use. This specification describes a family of HTTP authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which addresses security concerns with HTTP Digest and meets the deployability requirements. When used in combination with TLS or an equivalent security layer, a mechanism from this family could improve the status-quo for HTTP authentication. Working Group Summary This document is one of the experimental documents submitted to the HTTP-Auth working group. With version -13 it is the consensus of the HTTP-Auth working group that this document is fit to be published as an experimental RFC. Document Quality The proposed authentication method has been reviewed by a fair number of participants. There is one known implementation of this protocol. Personnel The document shepherd is Rifaat Shekh-Yusef and The Responsible Area Director is Kathleen Moriarty.