Browse Prior Art Database

Considerations for Web Transaction Security (RFC2084)

IP.com Disclosure Number: IPCOM000002636D
Original Publication Date: 1997-Jan-01
Included in the Prior Art Database: 2019-Feb-16
Document File: 6 page(s) / 7K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

G. Bossert: AUTHOR [+2]

Related Documents

10.17487/RFC2084: DOI

Abstract

This document specifies the requirements for the provision of security services to the HyperText Transport Protocol. These services include confidentiality, integrity, user authentication, and authentication of servers/services, including proxied or gatewayed services. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 40% of the total text.

Network Working Group G. Bossert Request for Comments: 2084 S. Cooper Category: Informational Silicon Graphics Inc. W. Drummond IEEE, Inc. January 1997

Considerations for Web Transaction Security

Status of this Memo

This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Abstract

This document specifies the requirements for the provision of security services to the HyperText Transport Protocol. These services include confidentiality, integrity, user authentication, and authentication of servers/services, including proxied or gatewayed services. Such services may be provided as extensions to HTTP, or as an encapsulating security protocol. Secondary requirements include ease of integration and support of multiple mechanisms for providing these services.

1. Introduction

The use of the HyperText Transport Protocol [1] to provide specialized or commercial services and personal or private data necessitates the development of secure versions that include privacy and authentication services. Such services may be provided as extensions to HTTP, or as encapsulating security protocols; for the purposes of this document, all such enhancements will be referred to as WTS.

In this document, we specify the requirements for WTS, with the intent of codifying perceived Internet-wide needs, along with existing practice, in a way that aids in the evaluation and development of such protocols.

Bossert, et. al. Informational [Page 1]

RFC 2084 Considerations for Web Transaction Security January 1997

WTS is an enhancement to an object transport protocol. As such, it does not provide independent certification of documents or other data objects outside of the scope of the transfer of said objects. In addition, security at the WTS layer is independent of and orthogonal to security services provided at underlying network layers. It is envisioned that WTS may coexist in a single transaction with such mechanisms, each providing security services at the appropriate level, with at worst some redundancy of service.

1.1 Terminology

This following terms have specific meaning in the context of this document. The HTTP specification [1] defines additional useful terms.

Transaction: A complete HTTP action, consisting of a request from the client and a response from the server.

Gatewayed Service: A service accessed, via HTTP or an alternate protocol, by the HTTP server on behalf of the client.

Mechanism: An specific implementation of a protocol or related subset of features of a protocol.

2. General Requirements

WTS must define the following services. These services must be provided independently of each other and support the needs of proxies and intermediaries

o Confidentiality of the HTTP request and/or response. o Data origin authentication and data integrity of the HTTP request and/or response. o Non-repudiability of origin for the request and/or response. o Transmission freshn...

Processing...
Loading...