Browse Prior Art Database

HTTP Authentication Extensions for Interactive Clients (RFC8053)

IP.com Disclosure Number: IPCOM000249019D
Original Publication Date: 2017-Jan-01
Included in the Prior Art Database: 2017-Jan-26
Document File: 56 page(s) / 63K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

Y. Oiwa: AUTHOR [+6]

Abstract

This document defines several extensions to the current HTTP authentication framework, to provide functionality comparable with current, widely used, form-based Web authentication. A majority of the recent websites on the Internet use custom application-layer authentication implementations using Web forms. The reasons for these may vary, but many people believe that the current HTTP Basic and Digest authentication methods do not have enough functionality (including good user interfaces) to support most realistic Web-based applications. However, such use of form-based Web authentication has several weaknesses against attacks like phishing, because all behavior of the authentication is controlled from the server-side application. This makes it really hard to implement any cryptographically strong authentication mechanisms into Web systems. To overcome this problem, we need to "modernize" the HTTP authentication framework so that better client-controlled secure methods can be used with Web applications. The extensions proposed in this document include:

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 4% of the total text.

Internet Engineering Task Force (IETF)                           Y. Oiwa Request for Comments: 8053                                   H. Watanabe Category: Experimental                                         H. Takagi ISSN: 2070-1721                                               ITRI, AIST                                                                 K. Maeda                                                               T. Hayashi                                                                  Lepidum                                                                  Y. Ioku                                                   Individual Contributor                                                             January 2017

          HTTP Authentication Extensions for Interactive Clients

Abstract

   This document specifies extensions for the HTTP authentication    framework for interactive clients.  Currently, fundamental features    of HTTP-level authentication are insufficient for complex    requirements of various Web-based applications.  This forces these    applications to implement their own authentication frameworks by    means such as HTML forms, which becomes one of the hurdles against    introducing secure authentication mechanisms handled jointly by    servers and user agents.  The extended framework fills gaps between    Web application requirements and HTTP authentication provisions to    solve the above problems, while maintaining compatibility with    existing Web and non-Web uses of HTTP authentication.

Status of This Memo

   This document is not an Internet Standards Track specification; it is    published for examination, experimental implementation, and    evaluation.

   This document defines an Experimental Protocol for the Internet    community.  This document is a product of the Internet Engineering    Task Force (IETF).  It represents the consensus of the IETF    community.  It has received public review and has been approved for    publication by the Internet Engineering Steering Group (IESG).  Not    all documents approved by the IESG are a candidate for any level of    Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,    and how to provide feedback on it may be obtained at    http://www.rfc-editor.org/info/rfc8053.

 Oiwa, et al.                  Experime...