Considerations for Web Transaction Security (RFC2084)
Original Publication Date: 1997-Jan-01
Included in the Prior Art Database: 2019-Feb-16
Internet Society Requests For Comment (RFCs)
G. Bossert: AUTHOR [+2]
This document specifies the requirements for the provision of security services to the HyperText Transport Protocol. These services include confidentiality, integrity, user authentication, and authentication of servers/services, including proxied or gatewayed services. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.
Network Working Group G. Bossert Request for Comments: 2084 S. Cooper Category: Informational Silicon Graphics Inc. W. Drummond IEEE, Inc. January 1997
Considerations for Web Transaction Security
Status of this Memo
This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
This document specifies the requirements for the provision of security services to the HyperText Transport Protocol. These services include confidentiality, integrity, user authentication, and authentication of servers/services, including proxied or gatewayed services. Such services may be provided as extensions to HTTP, or as an encapsulating security protocol. Secondary requirements include ease of integration and support of multiple mechanisms for providing these services.
The use of the HyperText Transport Protocol  to provide specialized or commercial services and personal or private data necessitates the development of secure versions that include privacy and authentication services. Such services may be provided as extensions to HTTP, or as encapsulating security protocols; for the purposes of this document, all such enhancements will be referred to as WTS.
In this document, we specify the requirements for WTS, with the intent of codifying perceived Internet-wide needs, along with existing practice, in a way that aids in the evaluation and development of such protocols.
Bossert, et. al. Informational [Page 1]
RFC 2084 Considerations for Web Transaction Security January 1997
WTS is an enhancement to an object transport protocol. As such, it does not provide independent certification of documents or other data objects outside of the scope of the transfer of said objects. In addition, security at the WTS layer is independent of and orthogonal to security services provided at underlying network layers. It is envisioned that WTS may coexist in a single transaction with such mechanisms, each providing security services at the appropriate level, with at worst some redundancy of service.
This following terms have specific meaning in the context of this document. The HTTP specification  defines additional useful terms.
Transaction: A complete HTTP action, consisting of a request from the client and a response from the server.
Gatewayed Service: A service accessed, via HTTP or an alternate protocol, by the HTTP server on behalf of the client.
Mechanism: An specific implementation of a protocol or related subset of features of a protocol.
2. General Requirements
WTS must define the following services. These services must be provided independently of each other and support the needs of proxies and intermediaries
o Confidentiality of the HTTP request and/or response. o Data origin authentication and data integrity of the HTTP request and/or response. o Non-repudiability of origin for the request and/or response. o Transmission freshn...