draft-ietf-httpauth-extension-04.txt   draft-ietf-httpauth-extension-05.txt 
HTTPAUTH Working Group Y. Oiwa HTTPAUTH Working Group Y. Oiwa
Internet-Draft H. Watanabe Internet-Draft H. Watanabe
Intended status: Experimental H. Takagi Intended status: Experimental H. Takagi
Expires: January 7, 2016 ITRI, AIST Expires: July 10, 2016 ITRI, AIST
T. Hayashi T. Hayashi
Lepidum Lepidum
Y. Ioku Y. Ioku
Individual Individual
July 6, 2015 January 7, 2016
HTTP Authentication Extensions for Interactive Clients HTTP Authentication Extensions for Interactive Clients
draft-ietf-httpauth-extension-04 draft-ietf-httpauth-extension-05
Abstract Abstract
This document specifies a few extensions of HTTP authentication This document specifies a few extensions of HTTP authentication
framework for interactive clients. Recently, fundamental features of framework for interactive clients. Recently, fundamental features of
HTTP-level authentication is not enough for complex requirements of HTTP-level authentication is not enough for complex requirements of
various Web-based applications. This makes these applications to various Web-based applications. This makes these applications to
implement their own authentication frameworks using HTML Forms and implement their own authentication frameworks using HTML Forms and
other means, which becomes one of the hurdles against introducing other means, which becomes one of the hurdles against introducing
secure authentication mechanisms handled jointly by servers and user- secure authentication mechanisms handled jointly by servers and user-
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 7, 2016. This Internet-Draft will expire on July 10, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 34 skipping to change at page 3, line 34
5.1.2. Case 2: specific action required on log-out . . . . . 17 5.1.2. Case 2: specific action required on log-out . . . . . 17
5.1.3. Case 3: specific page displayed before log-in . . . . 17 5.1.3. Case 3: specific page displayed before log-in . . . . 17
5.2. Example 2: authenticated user-only sites . . . . . . . . . 18 5.2. Example 2: authenticated user-only sites . . . . . . . . . 18
5.3. When to use Cookies . . . . . . . . . . . . . . . . . . . 18 5.3. When to use Cookies . . . . . . . . . . . . . . . . . . . 18
5.4. Parallel deployment with Form/Cookie authentications . . . 19 5.4. Parallel deployment with Form/Cookie authentications . . . 19
6. Methods to extend this protocol . . . . . . . . . . . . . . . 20 6. Methods to extend this protocol . . . . . . . . . . . . . . . 20
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
8. Security Considerations . . . . . . . . . . . . . . . . . . . 21 8. Security Considerations . . . . . . . . . . . . . . . . . . . 21
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
9.1. Normative References . . . . . . . . . . . . . . . . . . . 22 9.1. Normative References . . . . . . . . . . . . . . . . . . . 22
9.2. Informative References . . . . . . . . . . . . . . . . . . 22 9.2. Informative References . . . . . . . . . . . . . . . . . . 23
Appendix A. (Informative) Applicability of features for each Appendix A. (Informative) Applicability of features for each
messages . . . . . . . . . . . . . . . . . . . . . . 23 messages . . . . . . . . . . . . . . . . . . . . . . 23
Appendix B. (Informative) Draft Notes . . . . . . . . . . . . . . 23 Appendix B. (Informative) Draft Notes . . . . . . . . . . . . . . 23
Appendix C. (Informative) Draft Change Log . . . . . . . . . . . 24 Appendix C. (Informative) Draft Change Log . . . . . . . . . . . 24
C.1. Changes in Httpauth WG revision 04 . . . . . . . . . . . . 24 C.1. Changes in Httpauth WG revision 04 . . . . . . . . . . . . 24
C.2. Changes in Httpauth WG revision 03 . . . . . . . . . . . . 24 C.2. Changes in Httpauth WG revision 03 . . . . . . . . . . . . 24
C.3. Changes in Httpauth WG revision 02 . . . . . . . . . . . . 24 C.3. Changes in Httpauth WG revision 02 . . . . . . . . . . . . 24
C.4. Changes in Httpauth WG revision 01 . . . . . . . . . . . . 24 C.4. Changes in Httpauth WG revision 01 . . . . . . . . . . . . 24
C.5. Changes in Httpauth revision 00 and HttpBis revision 00 . 24 C.5. Changes in Httpauth revision 00 and HttpBis revision 00 . 24
C.6. Changes in revision 02 . . . . . . . . . . . . . . . . . . 24 C.6. Changes in revision 02 . . . . . . . . . . . . . . . . . . 24
C.7. Changes in revision 01 . . . . . . . . . . . . . . . . . . 24 C.7. Changes in revision 01 . . . . . . . . . . . . . . . . . . 25
C.8. Changes in revision 00 . . . . . . . . . . . . . . . . . . 25 C.8. Changes in revision 00 . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
The document proposes several extensions to the current HTTP The document proposes several extensions to the current HTTP
authentication framework, to provide enough functionality comparable authentication framework, to provide enough functionality comparable
with current widely-used form-based Web authentication. A majority with current widely-used form-based Web authentication. A majority
of the recent Web-sites on the Internet use custom application-layer of the recent Web-sites on the Internet use custom application-layer
authentication implementations using Web forms. The reasons for authentication implementations using Web forms. The reasons for
skipping to change at page 22, line 29 skipping to change at page 22, line 29
limited networks. limited networks.
Especially, it SHOULD NOT be used in any case when the valid user Especially, it SHOULD NOT be used in any case when the valid user
names are configured by its users or administrators. names are configured by its users or administrators.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC5987] Reschke, J., "Character Set and Language Encoding for [RFC5987] Reschke, J., "Character Set and Language Encoding for
Hypertext Transfer Protocol (HTTP) Header Field Hypertext Transfer Protocol (HTTP) Header Field
Parameters", RFC 5987, August 2010. Parameters", RFC 5987, DOI 10.17487/RFC5987, August 2010,
<http://www.rfc-editor.org/info/rfc5987>.
[RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
(HTTP/1.1): Message Syntax and Routing", RFC 7230, Protocol (HTTP/1.1): Message Syntax and Routing",
June 2014. RFC 7230, DOI 10.17487/RFC7230, June 2014,
<http://www.rfc-editor.org/info/rfc7230>.
[RFC7235] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
(HTTP/1.1): Authentication", RFC 7235, June 2014. Protocol (HTTP/1.1): Authentication", RFC 7235,
DOI 10.17487/RFC7235, June 2014,
<http://www.rfc-editor.org/info/rfc7235>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-httpauth-mutual] [I-D.ietf-httpauth-mutual]
Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi, Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi,
T., and Y. Ioku, "Mutual Authentication Protocol for T., and Y. Ioku, "Mutual Authentication Protocol for
HTTP", draft-ietf-httpauth-mutual-05 (work in progress), HTTP", draft-ietf-httpauth-mutual-06 (work in progress),
July 2015. January 2016.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
April 2011. DOI 10.17487/RFC6265, April 2011,
<http://www.rfc-editor.org/info/rfc6265>.
[W3C.REC-webstorage-20130730] [W3C.REC-webstorage-20130730]
Hickson, I., "Web Storage", World Wide Web Consortium Hickson, I., "Web Storage", World Wide Web Consortium
Recommendation REC-webstorage-20130730, July 2013, Recommendation REC-webstorage-20130730, July 2013,
<http://www.w3.org/TR/2013/REC-webstorage-20130730>. <http://www.w3.org/TR/2013/REC-webstorage-20130730>.
Appendix A. (Informative) Applicability of features for each messages Appendix A. (Informative) Applicability of features for each messages
This section provides cross-reference table about applicability of This section provides cross-reference table about applicability of
each features provided in this specification for each kinds of each features provided in this specification for each kinds of
skipping to change at page 25, line 23 skipping to change at page 25, line 29
o Added "no-auth" and "auth-style" parameters. o Added "no-auth" and "auth-style" parameters.
o Loosened standardization requirements for parameter-name tokens o Loosened standardization requirements for parameter-name tokens
registration. registration.
Authors' Addresses Authors' Addresses
Yutaka Oiwa Yutaka Oiwa
National Institute of Advanced Industrial Science and Technology National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute Information Technology Research Institute
Tsukuba Central 2 Tsukuba Central 1
1-1-1 Umezono 1-1-1 Umezono
Tsukuba-shi, Ibaraki Tsukuba-shi, Ibaraki
JP JP
Email: mutual-auth-contact-ml@aist.go.jp Email: mutual-auth-contact-ml@aist.go.jp
Hajime Watanabe Hajime Watanabe
National Institute of Advanced Industrial Science and Technology National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute Information Technology Research Institute
Tsukuba Central 2 Tsukuba Central 1
1-1-1 Umezono 1-1-1 Umezono
Tsukuba-shi, Ibaraki Tsukuba-shi, Ibaraki
JP JP
Hiromitsu Takagi Hiromitsu Takagi
National Institute of Advanced Industrial Science and Technology National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute Information Technology Research Institute
Tsukuba Central 2 Tsukuba Central 1
1-1-1 Umezono 1-1-1 Umezono
Tsukuba-shi, Ibaraki Tsukuba-shi, Ibaraki
JP JP
Tatsuya Hayashi Tatsuya Hayashi
Lepidum Co. Ltd. Lepidum Co. Ltd.
#602, Village Sasazuka 3 #602, Village Sasazuka 3
1-30-3 Sasazuka 1-30-3 Sasazuka
Shibuya-ku, Tokyo Shibuya-ku, Tokyo
JP JP
Yuichi Ioku Yuichi Ioku
Individual Individual
 End of changes. 19 change blocks. 
22 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/