Mutual Authentication Protocol for HTTP
RFC 8120
Document | Type | RFC - Experimental (April 2017; No errata) | |
---|---|---|---|
Authors | Yutaka Oiwa , Hajime Watanabe , Hiromitsu Takagi , Kaoru Maeda , Tatsuya Hayashi , Yuichi Ioku | ||
Last updated | 2017-04-11 | ||
Replaces | draft-oiwa-httpbis-mutualauth | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Rifaat Shekh-Yusef | ||
Shepherd write-up | Show (last changed 2016-07-17) | ||
IESG | IESG state | RFC 8120 (Experimental) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Kathleen Moriarty | ||
Send notices to | "Rifaat Shekh-Yusef" <rifaat.ietf@gmail.com> | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | RFC-Ed-Ack |
Internet Engineering Task Force (IETF) Y. Oiwa Request for Comments: 8120 H. Watanabe Category: Experimental H. Takagi ISSN: 2070-1721 ITRI, AIST K. Maeda Individual Contributor T. Hayashi Lepidum Y. Ioku Individual Contributor April 2017 Mutual Authentication Protocol for HTTP Abstract This document specifies an authentication scheme for the Hypertext Transfer Protocol (HTTP) that is referred to as either the Mutual authentication scheme or the Mutual authentication protocol. This scheme provides true mutual authentication between an HTTP client and an HTTP server using password-based authentication. Unlike the Basic and Digest authentication schemes, the Mutual authentication scheme specified in this document assures the user that the server truly knows the user's encrypted password. Status of This Memo This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8120. Oiwa, et al. Experimental [Page 1] RFC 8120 Mutual Authentication Protocol for HTTP April 2017 Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction ....................................................3 1.1. Terminology ................................................5 1.2. Document Structure and Related Documents ...................6 2. Protocol Overview ...............................................6 2.1. Messages ...................................................7 2.2. Typical Flows of the Protocol ..............................8 2.3. Alternative Flows .........................................10 3. Message Syntax .................................................12 3.1. Non-ASCII Extended Header Parameters ......................12 3.2. Values ....................................................13 3.2.1. Tokens .............................................13 3.2.2. Strings ............................................14 3.2.3. Numbers ............................................14 4. Messages .......................................................15 4.1. 401-INIT and 401-STALE ....................................16 4.2. req-KEX-C1 ................................................19 4.3. 401-KEX-S1 ................................................19 4.4. req-VFY-C .................................................20 4.5. 200-VFY-S .................................................21 5. Authentication Realms ..........................................21 5.1. Resolving Ambiguities .....................................23 6. Session Management .............................................24 7. Host Validation Methods ........................................26 7.1. Applicability Notes .......................................27 7.2. Notes on "tls-unique" .....................................28 8. Authentication Extensions ......................................28 9. String Preparation .............................................29Show full document text