Browse Prior Art Database

Considerations for Web Transaction Security (RFC2084)

IP.com Disclosure Number: IPCOM000002636D
Original Publication Date: 1997-Jan-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 4 page(s) / 8K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

G. Bossert: AUTHOR [+3]

Abstract

This document specifies the requirements for the provision of security services to the HyperText Transport Protocol. These services include confidentiality, integrity, user authentication, and authentication of servers/services, including proxied or gatewayed services. Such services may be provided as extensions to HTTP, or as an encapsulating security protocol. Secondary requirements include ease of integration and support of multiple mechanisms for providing these services.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 37% of the total text.

Network Working Group G. Bossert

Request for Comments: 2084 S. Cooper

Category: Informational Silicon Graphics Inc.

W. Drummond

IEEE, Inc.

January 1997

Considerations for Web Transaction Security

Status of this Memo

This memo provides information for the Internet community. This memo

does not specify an Internet standard of any kind. Distribution of

this memo is unlimited.

Abstract

This document specifies the requirements for the provision of

security services to the HyperText Transport Protocol. These

services include confidentiality, integrity, user authentication, and

authentication of servers/services, including proxied or gatewayed

services. Such services may be provided as extensions to HTTP, or as

an encapsulating security protocol. Secondary requirements include

ease of integration and support of multiple mechanisms for providing

these services.

1. Introduction

The use of the HyperText Transport Protocol [1] to provide

specialized or commercial services and personal or private data

necessitates the development of secure versions that include privacy

and authentication services. Such services may be provided as

extensions to HTTP, or as encapsulating security protocols; for the

purposes of this document, all such enhancements will be referred to

as WTS.

In this document, we specify the requirements for WTS, with the

intent of codifying perceived Internet-wide needs, along with

existing practice, in a way that aids in the evaluation and

development of such protocols.

WTS is an enhancement to an object transport protocol. As such, it

does not provide independent certification of documents or other data

objects outside of the scope of the transfer of said objects. In

addition, security at the WTS layer is independent of and orthogonal

to security services provided at underlying network layers. It is

envisioned that WTS may coexist in a single transaction with such

mechanisms, each providing security services at the appropriate

level, with at worst some redundancy of service.

1.1 Terminology

This following terms have specific meaning in the context of this

document. The HTTP specification [1] defines additional useful

terms.

Transaction:

A complete HTTP action, consisting of a request from the

client and a response from the server.

Gatewayed Service:

A service accessed, via HTTP or an alternate protocol, by the

HTTP server on behalf of the client.

Mechanism:

An specific implementation of a protocol or related subset of

features of a protocol.

2. General Requirements

WTS must define the following services. These services must be

provided independ...