Browse Prior Art Database

HTTP Authentication: Basic and Digest Access Authentication (RFC2617)

IP.com Disclosure Number: IPCOM000003204D
Original Publication Date: 1999-Jun-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 28 page(s) / 72K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Franks: AUTHOR [+7]

Abstract

"HTTP/1.0", includes the specification for a Basic Access Authentication scheme. This scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as cleartext.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 4% of the total text.

Network Working Group J. Franks

Request for Comments: 2617 Northwestern University

Obsoletes: 2069 P. Hallam-Baker

Category: Standards Track Verisign, Inc.

J. Hostetler

AbiSource, Inc.

S. Lawrence

Agranat Systems, Inc.

P. Leach

Microsoft Corporation

A. Luotonen

Netscape Communications Corporation

L. Stewart

Open Market, Inc.

June 1999

HTTP Authentication: Basic and Digest Access Authentication

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

"HTTP/1.0", includes the specification for a Basic Access

Authentication scheme. This scheme is not considered to be a secure

method of user authentication (unless used in conjunction with some

external secure system such as SSL [5]), as the user name and

password are passed over the network as cleartext.

This document also provides the specification for HTTP's

authentication framework, the original Basic authentication scheme

and a scheme based on cryptographic hashes, referred to as "Digest

Access Authentication". It is therefore also intended to serve as a

replacement for RFC 2069 [6]. Some optional elements specified by

RFC 2069 have been removed from this specification due to problems

found since its publication; other new elements have been added for

compatibility, those new elements have been made optional, but are

strongly recommended.

Like Basic, Digest access authentication verifies that both parties

to a communication know a shared secret (a password); unlike Basic,

this verification can be done without sen...