* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Changeset 1356


Ignore:
Timestamp:
2011-07-26 09:00:04 (3 years ago)
Author:
julian.reschke@gmx.de
Message:

Considerations for new authentications schemes (see #257)

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r1354 r1356  
    545545               <li>2.1&nbsp;&nbsp;&nbsp;<a href="#challenge.and.response">Challenge and Response</a></li> 
    546546               <li>2.2&nbsp;&nbsp;&nbsp;<a href="#protection.space">Protection Space (Realm)</a></li> 
    547                <li>2.3&nbsp;&nbsp;&nbsp;<a href="#authentication.scheme.registry">Authentication Scheme Registry</a></li> 
     547               <li>2.3&nbsp;&nbsp;&nbsp;<a href="#authentication.scheme.registry">Authentication Scheme Registry</a><ul> 
     548                     <li>2.3.1&nbsp;&nbsp;&nbsp;<a href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></li> 
     549                  </ul> 
     550               </li> 
    548551            </ul> 
    549552         </li> 
     
    707710      <p id="rfc.section.2.3.p.4">The registry itself is maintained at &lt;<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>&gt;. 
    708711      </p> 
     712      <h3 id="rfc.section.2.3.1"><a href="#rfc.section.2.3.1">2.3.1</a>&nbsp;<a id="considerations.for.new.authentication.schemes" href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></h3> 
     713      <p id="rfc.section.2.3.1.p.1">There are certain aspects of the HTTP Authentication Framework that put constraints on how new authentication schemes can 
     714         work: 
     715      </p> 
     716      <p id="rfc.section.2.3.1.p.2"> </p> 
     717      <ul> 
     718         <li>Authentication schemes need to be compatible with the inherent constraints of HTTP; for instance, that messages need to keep 
     719            their semantics when inspected in isolation, thus an authentication scheme can not bind information to the TCP session over 
     720            which the message was received (see <a href="p1-messaging.html#message-orientation-and-buffering" title="Message Orientation and Buffering">Section 2.2</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). 
     721         </li> 
     722         <li>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition. 
     723         </li> 
     724         <li>Authentication schemes need to document whther they are usable in origin-server authentication (i.e., using WWW-Authenticate), 
     725            and/or proxy authentication (i.e., using Proxy-Authenticate). 
     726         </li> 
     727      </ul> 
    709728      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1> 
    710729      <div id="rfc.iref.8"></div> 
     
    752771      <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a>&nbsp;<a id="header.proxy-authenticate" href="#header.proxy-authenticate">Proxy-Authenticate</a></h2> 
    753772      <p id="rfc.section.4.2.p.1">The "Proxy-Authenticate" header field consists of a challenge that indicates the authentication scheme and parameters applicable 
    754          to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. 
     773         to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. 
    755774      </p> 
    756775      <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.2"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 
     
    776795      <h2 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a>&nbsp;<a id="header.www-authenticate" href="#header.www-authenticate">WWW-Authenticate</a></h2> 
    777796      <p id="rfc.section.4.4.p.1">The "WWW-Authenticate" header field consists of at least one challenge that indicates the authentication scheme(s) and parameters 
    778          applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages. 
     797         applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages. 
    779798      </p> 
    780799      <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.4"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 
     
    10891108         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/177">http://tools.ietf.org/wg/httpbis/trac/ticket/177</a>&gt;: "Realm required on challenges" 
    10901109         </li> 
     1110         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/257">http://tools.ietf.org/wg/httpbis/trac/ticket/257</a>&gt;: "Considerations for new authentications schemes" 
     1111         </li> 
    10911112      </ul> 
    10921113      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1> 
     
    11341155            </li> 
    11351156            <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul> 
    1136                   <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a>, <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">4.2</a>, <a href="#rfc.xref.Part1.8">4.4</a>, <a href="#Part1"><b>8.1</b></a><ul> 
     1157                  <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a>, <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">2.3.1</a>, <a href="#rfc.xref.Part1.8">4.2</a>, <a href="#rfc.xref.Part1.9">4.4</a>, <a href="#Part1"><b>8.1</b></a><ul> 
    11371158                        <li><em>Section 1.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a></li> 
    11381159                        <li><em>Section 1.2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a></li> 
    1139                         <li><em>Section 4.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">4.2</a>, <a href="#rfc.xref.Part1.8">4.4</a></li> 
     1160                        <li><em>Section 2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.7">2.3.1</a></li> 
     1161                        <li><em>Section 4.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.8">4.2</a>, <a href="#rfc.xref.Part1.9">4.4</a></li> 
    11401162                     </ul> 
    11411163                  </li> 
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1354 r1356  
    2020  <!ENTITY basic-rules                  "<xref target='Part1' x:rel='#basic.rules' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
    2121  <!ENTITY effective-request-uri        "<xref target='Part1' x:rel='#effective.request.uri' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
     22  <!ENTITY msg-orient-and-buffering     "<xref target='Part1' x:rel='#message-orientation-and-buffering' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
    2223  <!ENTITY end-to-end.and-hop-by-hop    "<xref target='Part1' x:rel='#end-to-end.and.hop-by-hop.header-fields' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
    2324  <!ENTITY shared-and-non-shared-caches "<xref target='Part6' x:rel='#shared.and.non-shared.caches' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
     
    441442  The registry itself is maintained at <eref target="http://www.iana.org/assignments/http-authschemes"/>. 
    442443</t> 
     444 
     445<section title="Considerations for New Authentication Schemes" anchor="considerations.for.new.authentication.schemes"> 
     446<t> 
     447  There are certain aspects of the HTTP Authentication Framework that put 
     448  constraints on how new authentication schemes can work: 
     449</t> 
     450<t> 
     451  <list style="symbols"> 
     452    <t> 
     453      Authentication schemes need to be compatible with the inherent 
     454      constraints of HTTP; for instance, that messages need to keep their 
     455      semantics when inspected in isolation, thus an authentication scheme 
     456      can not bind information to the TCP session over which the message 
     457      was received (see &msg-orient-and-buffering;).  
     458    </t> 
     459    <t> 
     460      The authentication parameter "realm" is reserved for defining Protection 
     461      Spaces as defined in <xref target="protection.space"/>. New schemes 
     462      &MUST-NOT; use it in a way incompatible with that definition. 
     463    </t> 
     464    <t> 
     465      Authentication schemes need to document whther they are usable in 
     466      origin-server authentication (i.e., using WWW-Authenticate), and/or 
     467      proxy authentication (i.e., using Proxy-Authenticate). 
     468    </t>     
     469    <!-- note about Authorization header --> 
     470  </list> 
     471</t> 
     472</section> 
     473 
    443474</section> 
    444475 
     
    12281259      "Realm required on challenges" 
    12291260    </t> 
     1261    <t> 
     1262      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/257"/>: 
     1263      "Considerations for new authentications schemes" 
     1264    </t> 
    12301265  </list> 
    12311266</t> 
Note: See TracChangeset for help on using the changeset viewer.