| draft-ietf-httpbis-p7-auth-01.txt | draft-ietf-httpbis-p7-auth-02.txt | |||
|---|---|---|---|---|
| Network Working Group R. Fielding, Ed. | Network Working Group R. Fielding, Ed. | |||
| Internet-Draft Day Software | Internet-Draft Day Software | |||
| Obsoletes: 2616 (if approved) J. Gettys | Obsoletes: 2616 (if approved) J. Gettys | |||
| Updates: 2617 (if approved) One Laptop per Child | Updates: 2617 (if approved) One Laptop per Child | |||
| Intended status: Standards Track J. Mogul | Intended status: Standards Track J. Mogul | |||
| Expires: July 15, 2008 HP | Expires: August 27, 2008 HP | |||
| H. Frystyk | H. Frystyk | |||
| Microsoft | Microsoft | |||
| L. Masinter | L. Masinter | |||
| Adobe Systems | Adobe Systems | |||
| P. Leach | P. Leach | |||
| Microsoft | Microsoft | |||
| T. Berners-Lee | T. Berners-Lee | |||
| W3C/MIT | W3C/MIT | |||
| Y. Lafon, Ed. | Y. Lafon, Ed. | |||
| W3C | W3C | |||
| J. Reschke, Ed. | J. Reschke, Ed. | |||
| greenbytes | greenbytes | |||
| January 12, 2008 | February 24, 2008 | |||
| HTTP/1.1, part 7: Authentication | HTTP/1.1, part 7: Authentication | |||
| draft-ietf-httpbis-p7-auth-01 | draft-ietf-httpbis-p7-auth-02 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 49 | skipping to change at page 1, line 49 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on July 15, 2008. | This Internet-Draft will expire on August 27, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| The Hypertext Transfer Protocol (HTTP) is an application-level | The Hypertext Transfer Protocol (HTTP) is an application-level | |||
| protocol for distributed, collaborative, hypermedia information | protocol for distributed, collaborative, hypermedia information | |||
| systems. HTTP has been in use by the World Wide Web global | systems. HTTP has been in use by the World Wide Web global | |||
| skipping to change at page 3, line 9 | skipping to change at page 3, line 9 | |||
| This draft incorporates those issue resolutions that were either | This draft incorporates those issue resolutions that were either | |||
| collected in the original RFC2616 errata list | collected in the original RFC2616 errata list | |||
| (<http://purl.org/NET/http-errata>), or which were agreed upon on the | (<http://purl.org/NET/http-errata>), or which were agreed upon on the | |||
| mailing list between October 2006 and November 2007 (as published in | mailing list between October 2006 and November 2007 (as published in | |||
| "draft-lafon-rfc2616bis-03"). | "draft-lafon-rfc2616bis-03"). | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 4 | 2. Notational Conventions and Generic Grammar . . . . . . . . . . 4 | |||
| 2.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 4 | 3. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.2. 407 Proxy Authentication Required . . . . . . . . . . . . 5 | 3.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Header Field Definitions . . . . . . . . . . . . . . . . . . . 5 | 3.2. 407 Proxy Authentication Required . . . . . . . . . . . . 5 | |||
| 3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Header Field Definitions . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 6 | 4.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 7 | 4.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 4.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.1. Authentication Credentials and Idle Clients . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | 6.1. Authentication Credentials and Idle Clients . . . . . . . 8 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | ||||
| Appendix A. Compatibility with Previous Versions . . . . . . . . 9 | Appendix A. Compatibility with Previous Versions . . . . . . . . 9 | |||
| A.1. Changes from RFC 2616 . . . . . . . . . . . . . . . . . . 9 | A.1. Changes from RFC 2616 . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix B. Change Log (to be removed by RFC Editor before | Appendix B. Change Log (to be removed by RFC Editor before | |||
| publication) . . . . . . . . . . . . . . . . . . . . 9 | publication) . . . . . . . . . . . . . . . . . . . . 9 | |||
| B.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 9 | B.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| B.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 9 | B.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 9 | |||
| Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | B.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 9 | |||
| Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 13 | Intellectual Property and Copyright Statements . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines HTTP/1.1 access control and authentication. | This document defines HTTP/1.1 access control and authentication. | |||
| Right now it includes the extracted relevant sections of RFC 2616 | Right now it includes the extracted relevant sections of RFC 2616 | |||
| with only minor changes. The intention is to move the general | with only minor changes. The intention is to move the general | |||
| framework for HTTP authentication here, as currently specified in | framework for HTTP authentication here, as currently specified in | |||
| [RFC2617], and allow the individual authentication mechanisms to be | [RFC2617], and allow the individual authentication mechanisms to be | |||
| defined elsewhere. This introduction will be rewritten when that | defined elsewhere. This introduction will be rewritten when that | |||
| occurs. | occurs. | |||
| skipping to change at page 4, line 39 | skipping to change at page 4, line 39 | |||
| An implementation is not compliant if it fails to satisfy one or more | An implementation is not compliant if it fails to satisfy one or more | |||
| of the MUST or REQUIRED level requirements for the protocols it | of the MUST or REQUIRED level requirements for the protocols it | |||
| implements. An implementation that satisfies all the MUST or | implements. An implementation that satisfies all the MUST or | |||
| REQUIRED level and all the SHOULD level requirements for its | REQUIRED level and all the SHOULD level requirements for its | |||
| protocols is said to be "unconditionally compliant"; one that | protocols is said to be "unconditionally compliant"; one that | |||
| satisfies all the MUST level requirements but not all the SHOULD | satisfies all the MUST level requirements but not all the SHOULD | |||
| level requirements for its protocols is said to be "conditionally | level requirements for its protocols is said to be "conditionally | |||
| compliant." | compliant." | |||
| 2. Status Code Definitions | 2. Notational Conventions and Generic Grammar | |||
| 2.1. 401 Unauthorized | This specification uses the ABNF syntax defined in Section 2.1 of | |||
| [Part1]. [[abnf.dep: ABNF syntax and basic rules will be adopted from | ||||
| RFC 5234, see <http://tools.ietf.org/wg/httpbis/trac/ticket/36>.]] | ||||
| The ABNF rules below are defined in other specifications: | ||||
| challenge = <challenge, defined in [RFC2617], Section 1.2> | ||||
| credentials = <credentials, defined in [RFC2617], Section 1.2> | ||||
| 3. Status Code Definitions | ||||
| 3.1. 401 Unauthorized | ||||
| The request requires user authentication. The response MUST include | The request requires user authentication. The response MUST include | |||
| a WWW-Authenticate header field (Section 3.4) containing a challenge | a WWW-Authenticate header field (Section 4.4) containing a challenge | |||
| applicable to the requested resource. The client MAY repeat the | applicable to the requested resource. The client MAY repeat the | |||
| request with a suitable Authorization header field (Section 3.1). If | request with a suitable Authorization header field (Section 4.1). If | |||
| the request already included Authorization credentials, then the 401 | the request already included Authorization credentials, then the 401 | |||
| response indicates that authorization has been refused for those | response indicates that authorization has been refused for those | |||
| credentials. If the 401 response contains the same challenge as the | credentials. If the 401 response contains the same challenge as the | |||
| prior response, and the user agent has already attempted | prior response, and the user agent has already attempted | |||
| authentication at least once, then the user SHOULD be presented the | authentication at least once, then the user SHOULD be presented the | |||
| entity that was given in the response, since that entity might | entity that was given in the response, since that entity might | |||
| include relevant diagnostic information. HTTP access authentication | include relevant diagnostic information. HTTP access authentication | |||
| is explained in "HTTP Authentication: Basic and Digest Access | is explained in "HTTP Authentication: Basic and Digest Access | |||
| Authentication" [RFC2617]. | Authentication" [RFC2617]. | |||
| 2.2. 407 Proxy Authentication Required | 3.2. 407 Proxy Authentication Required | |||
| This code is similar to 401 (Unauthorized), but indicates that the | This code is similar to 401 (Unauthorized), but indicates that the | |||
| client must first authenticate itself with the proxy. The proxy MUST | client must first authenticate itself with the proxy. The proxy MUST | |||
| return a Proxy-Authenticate header field (Section 3.2) containing a | return a Proxy-Authenticate header field (Section 4.2) containing a | |||
| challenge applicable to the proxy for the requested resource. The | challenge applicable to the proxy for the requested resource. The | |||
| client MAY repeat the request with a suitable Proxy-Authorization | client MAY repeat the request with a suitable Proxy-Authorization | |||
| header field (Section 3.3). HTTP access authentication is explained | header field (Section 4.3). HTTP access authentication is explained | |||
| in "HTTP Authentication: Basic and Digest Access Authentication" | in "HTTP Authentication: Basic and Digest Access Authentication" | |||
| [RFC2617]. | [RFC2617]. | |||
| 3. Header Field Definitions | 4. Header Field Definitions | |||
| This section defines the syntax and semantics of HTTP/1.1 header | This section defines the syntax and semantics of HTTP/1.1 header | |||
| fields related to authentication. | fields related to authentication. | |||
| 3.1. Authorization | 4.1. Authorization | |||
| A user agent that wishes to authenticate itself with a server-- | A user agent that wishes to authenticate itself with a server-- | |||
| usually, but not necessarily, after receiving a 401 response--does so | usually, but not necessarily, after receiving a 401 response--does so | |||
| by including an Authorization request-header field with the request. | by including an Authorization request-header field with the request. | |||
| The Authorization field value consists of credentials containing the | The Authorization field value consists of credentials containing the | |||
| authentication information of the user agent for the realm of the | authentication information of the user agent for the realm of the | |||
| resource being requested. | resource being requested. | |||
| Authorization = "Authorization" ":" credentials | Authorization = "Authorization" ":" credentials | |||
| HTTP access authentication is described in "HTTP Authentication: | HTTP access authentication is described in "HTTP Authentication: | |||
| Basic and Digest Access Authentication" [RFC2617]. If a request is | Basic and Digest Access Authentication" [RFC2617]. If a request is | |||
| authenticated and a realm specified, the same credentials SHOULD be | authenticated and a realm specified, the same credentials SHOULD be | |||
| valid for all other requests within this realm (assuming that the | valid for all other requests within this realm (assuming that the | |||
| authentication scheme itself does not require otherwise, such as | authentication scheme itself does not require otherwise, such as | |||
| credentials that vary according to a challenge value or using | credentials that vary according to a challenge value or using | |||
| synchronized clocks). | synchronized clocks). | |||
| When a shared cache (see Section 8 of [Part6]) receives a request | When a shared cache (see Section 9 of [Part6]) receives a request | |||
| containing an Authorization field, it MUST NOT return the | containing an Authorization field, it MUST NOT return the | |||
| corresponding response as a reply to any other request, unless one of | corresponding response as a reply to any other request, unless one of | |||
| the following specific exceptions holds: | the following specific exceptions holds: | |||
| 1. If the response includes the "s-maxage" cache-control directive, | 1. If the response includes the "s-maxage" cache-control directive, | |||
| the cache MAY use that response in replying to a subsequent | the cache MAY use that response in replying to a subsequent | |||
| request. But (if the specified maximum age has passed) a proxy | request. But (if the specified maximum age has passed) a proxy | |||
| cache MUST first revalidate it with the origin server, using the | cache MUST first revalidate it with the origin server, using the | |||
| request-headers from the new request to allow the origin server | request-headers from the new request to allow the origin server | |||
| to authenticate the new request. (This is the defined behavior | to authenticate the new request. (This is the defined behavior | |||
| skipping to change at page 6, line 24 | skipping to change at page 6, line 34 | |||
| 2. If the response includes the "must-revalidate" cache-control | 2. If the response includes the "must-revalidate" cache-control | |||
| directive, the cache MAY use that response in replying to a | directive, the cache MAY use that response in replying to a | |||
| subsequent request. But if the response is stale, all caches | subsequent request. But if the response is stale, all caches | |||
| MUST first revalidate it with the origin server, using the | MUST first revalidate it with the origin server, using the | |||
| request-headers from the new request to allow the origin server | request-headers from the new request to allow the origin server | |||
| to authenticate the new request. | to authenticate the new request. | |||
| 3. If the response includes the "public" cache-control directive, it | 3. If the response includes the "public" cache-control directive, it | |||
| MAY be returned in reply to any subsequent request. | MAY be returned in reply to any subsequent request. | |||
| 3.2. Proxy-Authenticate | 4.2. Proxy-Authenticate | |||
| The Proxy-Authenticate response-header field MUST be included as part | The Proxy-Authenticate response-header field MUST be included as part | |||
| of a 407 (Proxy Authentication Required) response. The field value | of a 407 (Proxy Authentication Required) response. The field value | |||
| consists of a challenge that indicates the authentication scheme and | consists of a challenge that indicates the authentication scheme and | |||
| parameters applicable to the proxy for this Request-URI. | parameters applicable to the proxy for this Request-URI. | |||
| Proxy-Authenticate = "Proxy-Authenticate" ":" 1#challenge | Proxy-Authenticate = "Proxy-Authenticate" ":" 1#challenge | |||
| The HTTP access authentication process is described in "HTTP | The HTTP access authentication process is described in "HTTP | |||
| Authentication: Basic and Digest Access Authentication" [RFC2617]. | Authentication: Basic and Digest Access Authentication" [RFC2617]. | |||
| Unlike WWW-Authenticate, the Proxy-Authenticate header field applies | Unlike WWW-Authenticate, the Proxy-Authenticate header field applies | |||
| only to the current connection and SHOULD NOT be passed on to | only to the current connection and SHOULD NOT be passed on to | |||
| downstream clients. However, an intermediate proxy might need to | downstream clients. However, an intermediate proxy might need to | |||
| obtain its own credentials by requesting them from the downstream | obtain its own credentials by requesting them from the downstream | |||
| client, which in some circumstances will appear as if the proxy is | client, which in some circumstances will appear as if the proxy is | |||
| forwarding the Proxy-Authenticate header field. | forwarding the Proxy-Authenticate header field. | |||
| 3.3. Proxy-Authorization | 4.3. Proxy-Authorization | |||
| The Proxy-Authorization request-header field allows the client to | The Proxy-Authorization request-header field allows the client to | |||
| identify itself (or its user) to a proxy which requires | identify itself (or its user) to a proxy which requires | |||
| authentication. The Proxy-Authorization field value consists of | authentication. The Proxy-Authorization field value consists of | |||
| credentials containing the authentication information of the user | credentials containing the authentication information of the user | |||
| agent for the proxy and/or realm of the resource being requested. | agent for the proxy and/or realm of the resource being requested. | |||
| Proxy-Authorization = "Proxy-Authorization" ":" credentials | Proxy-Authorization = "Proxy-Authorization" ":" credentials | |||
| The HTTP access authentication process is described in "HTTP | The HTTP access authentication process is described in "HTTP | |||
| Authentication: Basic and Digest Access Authentication" [RFC2617]. | Authentication: Basic and Digest Access Authentication" [RFC2617]. | |||
| Unlike Authorization, the Proxy-Authorization header field applies | Unlike Authorization, the Proxy-Authorization header field applies | |||
| only to the next outbound proxy that demanded authentication using | only to the next outbound proxy that demanded authentication using | |||
| the Proxy-Authenticate field. When multiple proxies are used in a | the Proxy-Authenticate field. When multiple proxies are used in a | |||
| chain, the Proxy-Authorization header field is consumed by the first | chain, the Proxy-Authorization header field is consumed by the first | |||
| outbound proxy that was expecting to receive credentials. A proxy | outbound proxy that was expecting to receive credentials. A proxy | |||
| MAY relay the credentials from the client request to the next proxy | MAY relay the credentials from the client request to the next proxy | |||
| if that is the mechanism by which the proxies cooperatively | if that is the mechanism by which the proxies cooperatively | |||
| authenticate a given request. | authenticate a given request. | |||
| 3.4. WWW-Authenticate | 4.4. WWW-Authenticate | |||
| The WWW-Authenticate response-header field MUST be included in 401 | The WWW-Authenticate response-header field MUST be included in 401 | |||
| (Unauthorized) response messages. The field value consists of at | (Unauthorized) response messages. The field value consists of at | |||
| least one challenge that indicates the authentication scheme(s) and | least one challenge that indicates the authentication scheme(s) and | |||
| parameters applicable to the Request-URI. | parameters applicable to the Request-URI. | |||
| WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge | WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge | |||
| The HTTP access authentication process is described in "HTTP | The HTTP access authentication process is described in "HTTP | |||
| Authentication: Basic and Digest Access Authentication" [RFC2617]. | Authentication: Basic and Digest Access Authentication" [RFC2617]. | |||
| User agents are advised to take special care in parsing the WWW- | User agents are advised to take special care in parsing the WWW- | |||
| Authenticate field value as it might contain more than one challenge, | Authenticate field value as it might contain more than one challenge, | |||
| or if more than one WWW-Authenticate header field is provided, the | or if more than one WWW-Authenticate header field is provided, the | |||
| contents of a challenge itself can contain a comma-separated list of | contents of a challenge itself can contain a comma-separated list of | |||
| authentication parameters. | authentication parameters. | |||
| 4. IANA Considerations | 5. IANA Considerations | |||
| TBD. | [[anchor2: TBD.]] | |||
| 5. Security Considerations | 6. Security Considerations | |||
| This section is meant to inform application developers, information | This section is meant to inform application developers, information | |||
| providers, and users of the security limitations in HTTP/1.1 as | providers, and users of the security limitations in HTTP/1.1 as | |||
| described by this document. The discussion does not include | described by this document. The discussion does not include | |||
| definitive solutions to the problems revealed, though it does make | definitive solutions to the problems revealed, though it does make | |||
| some suggestions for reducing security risks. | some suggestions for reducing security risks. | |||
| 5.1. Authentication Credentials and Idle Clients | 6.1. Authentication Credentials and Idle Clients | |||
| Existing HTTP clients and user agents typically retain authentication | Existing HTTP clients and user agents typically retain authentication | |||
| information indefinitely. HTTP/1.1 does not provide a method for a | information indefinitely. HTTP/1.1 does not provide a method for a | |||
| server to direct clients to discard these cached credentials. This | server to direct clients to discard these cached credentials. This | |||
| is a significant defect that requires further extensions to HTTP. | is a significant defect that requires further extensions to HTTP. | |||
| Circumstances under which credential caching can interfere with the | Circumstances under which credential caching can interfere with the | |||
| application's security model include but are not limited to: | application's security model include but are not limited to: | |||
| o Clients which have been idle for an extended period following | o Clients which have been idle for an extended period following | |||
| which the server might wish to cause the client to reprompt the | which the server might wish to cause the client to reprompt the | |||
| skipping to change at page 8, line 23 | skipping to change at page 8, line 34 | |||
| for the client to retain the credentials. | for the client to retain the credentials. | |||
| This is currently under separate study. There are a number of work- | This is currently under separate study. There are a number of work- | |||
| arounds to parts of this problem, and we encourage the use of | arounds to parts of this problem, and we encourage the use of | |||
| password protection in screen savers, idle time-outs, and other | password protection in screen savers, idle time-outs, and other | |||
| methods which mitigate the security problems inherent in this | methods which mitigate the security problems inherent in this | |||
| problem. In particular, user agents which cache credentials are | problem. In particular, user agents which cache credentials are | |||
| encouraged to provide a readily accessible mechanism for discarding | encouraged to provide a readily accessible mechanism for discarding | |||
| cached credentials under user control. | cached credentials under user control. | |||
| 6. Acknowledgments | 7. Acknowledgments | |||
| TBD. | TBD. | |||
| 7. References | 8. References | |||
| 7.1. Normative References | 8.1. Normative References | |||
| [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | ||||
| Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | ||||
| and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, | ||||
| and Message Parsing", draft-ietf-httpbis-p1-messaging-02 | ||||
| (work in progress), February 2008. | ||||
| [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | |||
| and J. Reschke, Ed., "HTTP/1.1, part 6: Caching", | and J. Reschke, Ed., "HTTP/1.1, part 6: Caching", | |||
| draft-ietf-httpbis-p6-cache-01 (work in progress), | draft-ietf-httpbis-p6-cache-02 (work in progress), | |||
| January 2008. | February 2008. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, June 1999. | RFC 2617, June 1999. | |||
| 7.2. Informative References | 8.2. Informative References | |||
| [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
| Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | |||
| Appendix A. Compatibility with Previous Versions | Appendix A. Compatibility with Previous Versions | |||
| A.1. Changes from RFC 2616 | A.1. Changes from RFC 2616 | |||
| Appendix B. Change Log (to be removed by RFC Editor before publication) | Appendix B. Change Log (to be removed by RFC Editor before publication) | |||
| skipping to change at page 9, line 22 | skipping to change at page 9, line 39 | |||
| Extracted relevant partitions from [RFC2616]. | Extracted relevant partitions from [RFC2616]. | |||
| B.2. Since draft-ietf-httpbis-p7-auth-00 | B.2. Since draft-ietf-httpbis-p7-auth-00 | |||
| Closed issues: | Closed issues: | |||
| o <http://www3.tools.ietf.org/wg/httpbis/trac/ticket/35>: "Normative | o <http://www3.tools.ietf.org/wg/httpbis/trac/ticket/35>: "Normative | |||
| and Informative references" | and Informative references" | |||
| B.3. Since draft-ietf-httpbis-p7-auth-01 | ||||
| Ongoing work on ABNF conversion | ||||
| (<http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36>): | ||||
| o Explicitly import BNF rules for "challenge" and "credentials" from | ||||
| RFC2617. | ||||
| o Add explicit references to BNF syntax and rules imported from | ||||
| other parts of the specification. | ||||
| Index | Index | |||
| 4 | 4 | |||
| 401 Unauthorized (status code) 4 | 401 Unauthorized (status code) 5 | |||
| 407 Proxy Authentication Required (status code) 5 | 407 Proxy Authentication Required (status code) 5 | |||
| A | A | |||
| Authorization header 5 | Authorization header 5 | |||
| G | G | |||
| Grammar | Grammar | |||
| Authorization 5 | Authorization 5 | |||
| challenge 4 | ||||
| credentials 4 | ||||
| Proxy-Authenticate 6 | Proxy-Authenticate 6 | |||
| Proxy-Authorization 6 | Proxy-Authorization 7 | |||
| WWW-Authenticate 7 | WWW-Authenticate 7 | |||
| H | H | |||
| Headers | Headers | |||
| Authorization 5 | Authorization 5 | |||
| Proxy-Authenticate 6 | Proxy-Authenticate 6 | |||
| Proxy-Authorization 6 | Proxy-Authorization 7 | |||
| WWW-Authenticate 7 | WWW-Authenticate 7 | |||
| P | P | |||
| Proxy-Authenticate header 6 | Proxy-Authenticate header 6 | |||
| Proxy-Authorization header 6 | Proxy-Authorization header 7 | |||
| S | S | |||
| Status Codes | Status Codes | |||
| 401 Unauthorized 4 | 401 Unauthorized 5 | |||
| 407 Proxy Authentication Required 5 | 407 Proxy Authentication Required 5 | |||
| W | W | |||
| WWW-Authenticate header 7 | WWW-Authenticate header 7 | |||
| Authors' Addresses | Authors' Addresses | |||
| Roy T. Fielding (editor) | Roy T. Fielding (editor) | |||
| Day Software | Day Software | |||
| 23 Corporate Plaza DR, Suite 280 | 23 Corporate Plaza DR, Suite 280 | |||
| End of changes. 36 change blocks. | ||||
| 49 lines changed or deleted | 81 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||