source: draft-ietf-httpauth-basicauth-update/latest/draft-ietf-httpauth-basicauth-update.html @ 26

Last change on this file since 26 was 26, checked in by julian.reschke@…, 8 years ago

remove bogus ref to RFC2045 for base64

File size: 35.0 KB
Line 
1<!DOCTYPE html
2  PUBLIC "-//W3C//DTD HTML 4.01//EN">
3<html lang="en">
4   <head profile="http://dublincore.org/documents/2008/08/04/dc-html/">
5      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
6      <title>The 'Basic' HTTP Authentication Scheme</title><script>
7var buttonsAdded = false;
8
9function init() {
10  var fb = document.createElement("div");
11  fb.className = "feedback noprint";
12  fb.setAttribute("onclick", "feedback();");
13  fb.appendChild(document.createTextNode("feedback"));
14
15  var bodyl = document.getElementsByTagName("body");
16  bodyl.item(0).appendChild(fb);
17}
18
19function feedback() {
20  toggleButtonsToElementsByName("h1");
21  toggleButtonsToElementsByName("h2");
22  toggleButtonsToElementsByName("h3");
23  toggleButtonsToElementsByName("h4");
24
25  buttonsAdded = !buttonsAdded;
26}
27
28function toggleButtonsToElementsByName(name) {
29  var list = document.getElementsByTagName(name);
30  for (var i = 0; i < list.length; i++) {
31    toggleButton(list.item(i));
32  }
33}
34
35function toggleButton(node) {
36  if (! buttonsAdded) {
37
38    // docname
39    var template = "mailto:http-auth@ietf.org?subject={docname},%20%22{section}%22&body=<{ref}>:";
40
41    var id = node.getAttribute("id");
42    // better id available?
43    var titlelinks = node.getElementsByTagName("a");
44    for (var i = 0; i < titlelinks.length; i++) {
45      var tl = titlelinks.item(i);
46      if (tl.getAttribute("id")) {
47        id = tl.getAttribute("id");
48      }
49    }
50
51    // ref
52    var ref = window.location.toString();
53    var hash = ref.indexOf("#");
54    if (hash != -1) {
55      ref = ref.substring(0, hash);
56    }
57    if (id != "") {
58      ref += "#" + id;
59    }
60
61    // docname
62    var docname = "draft-ietf-httpauth-basicauth-update-latest";
63
64    // section
65    var section = node.textContent;
66    section = section.replace("\u00a0", " ");
67
68    // build URI from template
69    var uri = template.replace("{docname}", encodeURIComponent(docname));
70    uri = uri.replace("{section}", encodeURIComponent(section));
71    uri = uri.replace("{ref}", encodeURIComponent(ref));
72
73    var button = document.createElement("a");
74    button.className = "fbbutton noprint";
75    button.setAttribute("href", uri);
76    button.appendChild(document.createTextNode("send feedback"));
77    node.appendChild(button);
78  }
79  else {
80    var buttons = node.getElementsByTagName("a");
81    for (var i = 0; i < buttons.length; i++) {
82      var b = buttons.item(i);
83      if (b.className == "fbbutton noprint") {
84        node.removeChild(b);
85      }
86    }
87  }
88}</script><style type="text/css" title="Xml2Rfc (sans serif)">
89a {
90  text-decoration: none;
91}
92a.smpl {
93  color: black;
94}
95a:hover {
96  text-decoration: underline;
97}
98a:active {
99  text-decoration: underline;
100}
101address {
102  margin-top: 1em;
103  margin-left: 2em;
104  font-style: normal;
105}
106body {
107  color: black;
108  font-family: verdana, helvetica, arial, sans-serif;
109  font-size: 10pt;
110  margin-right: 2em;
111}
112cite {
113  font-style: normal;
114}
115dl {
116  margin-left: 2em;
117}
118ul.empty {
119  list-style-type: none;
120}
121ul.empty li {
122  margin-top: .5em;
123}
124dl p {
125  margin-left: 0em;
126}
127dt {
128  margin-top: .5em;
129}
130h1 {
131  font-size: 14pt;
132  line-height: 21pt;
133  page-break-after: avoid;
134}
135h1.np {
136  page-break-before: always;
137}
138h1 a {
139  color: #333333;
140}
141h2 {
142  font-size: 12pt;
143  line-height: 15pt;
144  page-break-after: avoid;
145}
146h3, h4, h5, h6 {
147  font-size: 10pt;
148  page-break-after: avoid;
149}
150h2 a, h3 a, h4 a, h5 a, h6 a {
151  color: black;
152}
153img {
154  margin-left: 3em;
155}
156li {
157  margin-left: 2em;
158}
159ol {
160  margin-left: 2em;
161}
162ol.la {
163  list-style-type: lower-alpha;
164}
165ol.ua {
166  list-style-type: upper-alpha;
167}
168ol p {
169  margin-left: 0em;
170}
171p {
172  margin-left: 2em;
173}
174pre {
175  margin-left: 3em;
176  background-color: lightyellow;
177  padding: .25em;
178  page-break-inside: avoid;
179}
180pre.text2 {
181  border-style: dotted;
182  border-width: 1px;
183  background-color: #f0f0f0;
184  width: 69em;
185}
186pre.inline {
187  background-color: white;
188  padding: 0em;
189}
190pre.text {
191  border-style: dotted;
192  border-width: 1px;
193  background-color: #f8f8f8;
194  width: 69em;
195}
196pre.drawing {
197  border-style: solid;
198  border-width: 1px;
199  background-color: #f8f8f8;
200  padding: 2em;
201}
202table {
203  margin-left: 2em;
204}
205table.header {
206  border-spacing: 1px;
207  width: 95%;
208  font-size: 10pt;
209  color: white;
210}
211td.top {
212  vertical-align: top;
213}
214td.topnowrap {
215  vertical-align: top;
216  white-space: nowrap;
217}
218table.header td {
219  background-color: gray;
220  width: 50%;
221}
222table.header a {
223  color: white;
224}
225td.reference {
226  vertical-align: top;
227  white-space: nowrap;
228  padding-right: 1em;
229}
230thead {
231  display:table-header-group;
232}
233ul.toc, ul.toc ul {
234  list-style: none;
235  margin-left: 1.5em;
236  padding-left: 0em;
237}
238ul.toc li {
239  line-height: 150%;
240  font-weight: bold;
241  font-size: 10pt;
242  margin-left: 0em;
243}
244ul.toc li li {
245  line-height: normal;
246  font-weight: normal;
247  font-size: 9pt;
248  margin-left: 0em;
249}
250li.excluded {
251  font-size: 0pt;
252}
253ul p {
254  margin-left: 0em;
255}
256ul.ind, ul.ind ul {
257  list-style: none;
258  margin-left: 1.5em;
259  padding-left: 0em;
260  page-break-before: avoid;
261}
262ul.ind li {
263  font-weight: bold;
264  line-height: 200%;
265  margin-left: 0em;
266}
267ul.ind li li {
268  font-weight: normal;
269  line-height: 150%;
270  margin-left: 0em;
271}
272.avoidbreak {
273  page-break-inside: avoid;
274}
275.bcp14 {
276  font-style: normal;
277  text-transform: lowercase;
278  font-variant: small-caps;
279}
280.comment {
281  background-color: yellow;
282}
283.center {
284  text-align: center;
285}
286.error {
287  color: red;
288  font-style: italic;
289  font-weight: bold;
290}
291.figure {
292  font-weight: bold;
293  text-align: center;
294  font-size: 9pt;
295}
296.filename {
297  color: #333333;
298  font-weight: bold;
299  font-size: 12pt;
300  line-height: 21pt;
301  text-align: center;
302}
303.fn {
304  font-weight: bold;
305}
306.left {
307  text-align: left;
308}
309.right {
310  text-align: right;
311}
312.title {
313  color: #990000;
314  font-size: 18pt;
315  line-height: 18pt;
316  font-weight: bold;
317  text-align: center;
318  margin-top: 36pt;
319}
320.vcardline {
321  display: block;
322}
323.warning {
324  font-size: 14pt;
325  background-color: yellow;
326}
327
328table.openissue {
329  background-color: khaki;
330  border-width: thin;
331  border-style: solid;
332  border-color: black;
333}
334table.closedissue {
335  background-color: white;
336  border-width: thin;
337  border-style: solid;
338  border-color: gray;
339  color: gray;
340}
341thead th {
342  text-align: left;
343}
344.bg-issue {
345  border: solid;
346  border-width: 1px;
347  font-size: 7pt;
348}
349.closed-issue {
350  border: solid;
351  border-width: thin;
352  background-color: lime;
353  font-size: smaller;
354  font-weight: bold;
355}
356.open-issue {
357  border: solid;
358  border-width: thin;
359  background-color: red;
360  font-size: smaller;
361  font-weight: bold;
362}
363.editor-issue {
364  border: solid;
365  border-width: thin;
366  background-color: yellow;
367  font-size: smaller;
368  font-weight: bold;
369}.feedback {
370  position: fixed;
371  bottom: 1%;
372  right: 1%;
373  padding: 3px 5px;
374  color: white;
375  border-radius: 5px;
376  background: #a00000;
377  border: 1px solid silver;
378}
379.fbbutton {
380  margin-left: 1em;
381  color: #303030;
382  font-size: small;
383  font-weight: normal;
384  background: #d0d000;
385  padding: 1px 4px;
386  border: 1px solid silver;
387  border-radius: 5px;
388}
389
390@media print {
391  .noprint {
392    display: none;
393  }
394
395  a {
396    color: black;
397    text-decoration: none;
398  }
399
400  table.header {
401    width: 90%;
402  }
403
404  td.header {
405    width: 50%;
406    color: black;
407    background-color: white;
408    vertical-align: top;
409    font-size: 12pt;
410  }
411
412  ul.toc a:nth-child(2)::after {
413    content: leader('.') target-counter(attr(href), page);
414  }
415
416  ul.ind li li a {
417    content: target-counter(attr(href), page);
418  }
419
420  .print2col {
421    column-count: 2;
422    -moz-column-count: 2;
423    column-fill: auto;
424  }
425}
426
427@page {
428  @top-left {
429       content: "Internet-Draft";
430  }
431  @top-right {
432       content: "September 2013";
433  }
434  @top-center {
435       content: "'Basic' HTTP Authentication Scheme";
436  }
437  @bottom-left {
438       content: "Reschke";
439  }
440  @bottom-center {
441       content: "Expires March 22, 2014";
442  }
443  @bottom-right {
444       content: "[Page " counter(page) "]";
445  }
446}
447
448@page:first {
449    @top-left {
450      content: normal;
451    }
452    @top-right {
453      content: normal;
454    }
455    @top-center {
456      content: normal;
457    }
458}
459</style><link rel="Contents" href="#rfc.toc">
460      <link rel="Author" href="#rfc.authors">
461      <link rel="Copyright" href="#rfc.copyrightnotice">
462      <link rel="Index" href="#rfc.index">
463      <link rel="Chapter" title="1 Introduction" href="#rfc.section.1">
464      <link rel="Chapter" title="2 Notational Conventions" href="#rfc.section.2">
465      <link rel="Chapter" title="3 The 'Basic' Authentication Scheme" href="#rfc.section.3">
466      <link rel="Chapter" title="4 Security Considerations" href="#rfc.section.4">
467      <link rel="Chapter" title="5 IANA Considerations" href="#rfc.section.5">
468      <link rel="Chapter" title="6 Acknowledgements" href="#rfc.section.6">
469      <link rel="Chapter" href="#rfc.section.7" title="7 References">
470      <link rel="Appendix" title="A Change Log (to be removed by RFC Editor before publication)" href="#rfc.section.A">
471      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.599, 2013/08/29 10:34:28, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
472      <link rel="schema.dct" href="http://purl.org/dc/terms/">
473      <meta name="dct.creator" content="Reschke, J. F.">
474      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpauth-basicauth-update-latest">
475      <meta name="dct.issued" scheme="ISO8601" content="2013-09-18">
476      <meta name="dct.abstract" content="This document defines the &#34;Basic&#34; Hypertext Transfer Protocol (HTTP) Authentication Scheme.">
477      <meta name="description" content="This document defines the &#34;Basic&#34; Hypertext Transfer Protocol (HTTP) Authentication Scheme.">
478   </head>
479   <body onload="init();">
480      <table class="header">
481         <tbody>
482            <tr>
483               <td class="left">HTTPAuth Working Group</td>
484               <td class="right">J. Reschke</td>
485            </tr>
486            <tr>
487               <td class="left">Internet-Draft</td>
488               <td class="right">greenbytes</td>
489            </tr>
490            <tr>
491               <td class="left">Updates: <a href="http://tools.ietf.org/html/rfc2617">2617</a> (if approved)
492               </td>
493               <td class="right">September 18, 2013</td>
494            </tr>
495            <tr>
496               <td class="left">Intended status: Standards Track</td>
497               <td class="right"></td>
498            </tr>
499            <tr>
500               <td class="left">Expires: March 22, 2014</td>
501               <td class="right"></td>
502            </tr>
503         </tbody>
504      </table>
505      <p class="title">The 'Basic' HTTP Authentication Scheme<br><span class="filename">draft-ietf-httpauth-basicauth-update-latest</span></p>
506      <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
507      <p>This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme.</p>
508      <h1 id="rfc.note.1"><a href="#rfc.note.1">Editorial Note (To be removed by RFC Editor before publication)</a></h1>
509      <p>Discussion of this draft takes place on the HTTPAuth working group mailing list (http-auth@ietf.org), which is archived at &lt;<a href="http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html">http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html</a>&gt;.
510      </p>
511      <p>XML versions, latest edits and the issues list for this document are available from &lt;<a href="http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update">http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update</a>&gt;.
512      </p>
513      <p>The changes in this draft are summarized in <a href="#changes.since.00" title="Since draft-ietf-httpauth-basicauth-update-00">Appendix&nbsp;A.2</a>.
514      </p>
515      <h1><a id="rfc.status" href="#rfc.status">Status of This Memo</a></h1>
516      <p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
517      <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute
518         working documents as Internet-Drafts. The list of current Internet-Drafts is at <a href="http://datatracker.ietf.org/drafts/current/">http://datatracker.ietf.org/drafts/current/</a>.
519      </p>
520      <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other
521         documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work
522         in progress”.
523      </p>
524      <p>This Internet-Draft will expire on March 22, 2014.</p>
525      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
526      <p>Copyright © 2013 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
527      <p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights
528         and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License
529         text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified
530         BSD License.
531      </p>
532      <p>This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November
533         10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to
534         allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s)
535         controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative
536         works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate
537         it into languages other than English.
538      </p>
539      <hr class="noprint">
540      <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
541      <ul class="toc">
542         <li><a href="#rfc.section.1">1.</a>&nbsp;&nbsp;&nbsp;<a href="#introduction">Introduction</a></li>
543         <li><a href="#rfc.section.2">2.</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.section.2">Notational Conventions</a></li>
544         <li><a href="#rfc.section.3">3.</a>&nbsp;&nbsp;&nbsp;<a href="#basic.authentication.scheme">The 'Basic' Authentication Scheme</a></li>
545         <li><a href="#rfc.section.4">4.</a>&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a></li>
546         <li><a href="#rfc.section.5">5.</a>&nbsp;&nbsp;&nbsp;<a href="#iana.considerations">IANA Considerations</a></li>
547         <li><a href="#rfc.section.6">6.</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.section.6">Acknowledgements</a></li>
548         <li><a href="#rfc.section.7">7.</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.references">References</a><ul>
549               <li><a href="#rfc.section.7.1">7.1</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.references.1">Normative References</a></li>
550               <li><a href="#rfc.section.7.2">7.2</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.references.2">Informative References</a></li>
551            </ul>
552         </li>
553         <li><a href="#rfc.authors">Author's Address</a></li>
554         <li><a href="#rfc.section.A">A.</a>&nbsp;&nbsp;&nbsp;<a href="#change.log">Change Log (to be removed by RFC Editor before publication)</a><ul>
555               <li><a href="#rfc.section.A.1">A.1</a>&nbsp;&nbsp;&nbsp;<a href="#changes.since.rfc2617">Since RFC 2617</a></li>
556               <li><a href="#rfc.section.A.2">A.2</a>&nbsp;&nbsp;&nbsp;<a href="#changes.since.00">Since draft-ietf-httpauth-basicauth-update-00</a></li>
557            </ul>
558         </li>
559         <li><a href="#rfc.index">Index</a></li>
560      </ul>
561      <h2 id="rfc.issues-list"><a href="#rfc.issues-list">Issues list</a></h2>
562      <table>
563         <thead>
564            <tr>
565               <th>Id</th>
566               <th>Type</th>
567               <th>Status</th>
568               <th>Date</th>
569               <th>Raised By</th>
570            </tr>
571         </thead>
572         <tbody>
573            <tr>
574               <td><a href="#rfc.issue.edit">edit</a></td>
575               <td>edit</td>
576               <td>open</td>
577               <td>2013-09-11</td>
578               <td><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20edit">julian.reschke@greenbytes.de</a></td>
579            </tr>
580            <tr>
581               <td><a href="#rfc.issue.enc">enc</a></td>
582               <td>change</td>
583               <td>open</td>
584               <td>2013-09-12</td>
585               <td><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20enc">julian.reschke@greenbytes.de</a></td>
586            </tr>
587            <tr>
588               <td><a href="#rfc.issue.upd">upd</a></td>
589               <td>change</td>
590               <td>open</td>
591               <td>2013-09-12</td>
592               <td><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20upd">julian.reschke@greenbytes.de</a></td>
593            </tr>
594         </tbody>
595      </table>
596      <table class="openissue">
597         <tr>
598            <td colspan="3"><a id="rfc.issue.edit" class="open-issue">&nbsp;I&nbsp;</a>&nbsp;<em>edit</em>
599               &nbsp;
600               (type: edit, status: open)
601               
602            </td>
603         </tr>
604         <tr>
605            <td class="top"><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20edit"><i>julian.reschke@greenbytes.de</i></a></td>
606            <td class="topnowrap">2013-09-11</td>
607            <td class="top">
608               Umbrella issue for editorial fixes/enhancements.
609               
610            </td>
611         </tr>
612      </table>
613      <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;<a id="introduction" href="#introduction">Introduction</a></h1>
614      <p id="rfc.section.1.p.1">This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme (<a href="#draft-ietf-httpbis-p7-auth"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[draft-ietf-httpbis-p7-auth]</cite></a>). This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external
615         secure system such as TLS (Transport Layer Security, <a href="#RFC5246"><cite title="The Transport Layer Security (TLS) Protocol Version 1.2">[RFC5246]</cite></a>), as the user name and password are passed over the network as cleartext.
616      </p>
617      <p id="rfc.section.1.p.2">The "Basic" scheme previously was defined in <a href="http://tools.ietf.org/html/rfc2617#section-2">Section 2</a> of <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This document updates the definition, and also addresses internationalization issues.
618      </p>
619      <p id="rfc.section.1.p.3">Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" (<a href="#draft-ietf-httpbis-p7-auth"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[draft-ietf-httpbis-p7-auth]</cite></a>, defining the authentication framework) and "HTTP Digest Update" (<a href="#draft-ietf-httpauth-digest-update"><cite title="HTTP Digest Update">[draft-ietf-httpauth-digest-update]</cite></a>, updating the definition of the '"Digest" authentication scheme).
620      </p>
621      <h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a>&nbsp;Notational Conventions
622      </h1>
623      <p id="rfc.section.2.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
624         in this document are to be interpreted as described in <a href="#RFC2119"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>.
625      </p>
626      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="basic.authentication.scheme" href="#basic.authentication.scheme">The 'Basic' Authentication Scheme</a></h1>
627      <table class="openissue">
628         <tr>
629            <td colspan="3"><a id="rfc.issue.upd" class="open-issue">&nbsp;I&nbsp;</a>&nbsp;<em>upd</em>
630               &nbsp;
631               (type: change, status: open)
632               
633            </td>
634         </tr>
635         <tr>
636            <td class="top"><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20upd"><i>julian.reschke@greenbytes.de</i></a></td>
637            <td class="topnowrap">2013-09-12</td>
638            <td class="top">
639               Update the definition to reflect underlying changes (RFC2616-&gt;httpbis,
640               RFC2396-&gt;2616, other references).
641               
642            </td>
643         </tr>
644      </table>
645      <table class="openissue">
646         <tr>
647            <td colspan="3"><a id="rfc.issue.enc" class="open-issue">&nbsp;I&nbsp;</a>&nbsp;<em>enc</em>
648               &nbsp;
649               (type: change, status: open)
650               
651            </td>
652         </tr>
653         <tr>
654            <td class="top"><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20enc"><i>julian.reschke@greenbytes.de</i></a></td>
655            <td class="topnowrap">2013-09-12</td>
656            <td class="top">
657               Fix the encoding issue, by pulling in draft-ietf-httpauth-basicauth-enc.
658               
659            </td>
660         </tr>
661      </table>
662      <p id="rfc.section.3.p.1">The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password
663         for each realm. The realm value should be considered an opaque string which can only be compared for equality with other realms
664         on that server. The server will service the request only if it can validate the user-ID and password for the protection space
665         of the Request-URI. There are no optional authentication parameters.
666      </p>
667      <p id="rfc.section.3.p.2">For Basic, the framework above is utilized as follows:</p>
668      <div id="rfc.figure.u.1"></div><pre class="inline"><span id="rfc.iref.c.1"></span><span id="rfc.iref.c.2"></span>   challenge   = "Basic" realm
669   credentials = "Basic" basic-credentials
670</pre><p id="rfc.section.3.p.4">Upon receipt of an unauthorized request for a URI within the protection space, the origin server <em class="bcp14">MAY</em> respond with a challenge like the following:
671      </p>
672      <div id="rfc.figure.u.2"></div><pre class="text">   WWW-Authenticate: Basic realm="WallyWorld"
673</pre><p id="rfc.section.3.p.6">where "WallyWorld" is the string assigned by the server to identify the protection space of the Request-URI. A proxy may respond
674         with the same challenge using the Proxy-Authenticate header field.
675      </p>
676      <p id="rfc.section.3.p.7">To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a
677         base64 encoded string in the credentials (<a href="#RFC4648"><cite title="The Base16, Base32, and Base64 Data Encodings">[RFC4648]</cite></a>, <a href="http://tools.ietf.org/html/rfc4648#section-4">Section 4</a>).
678      </p>
679      <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.b.1"></span><span id="rfc.iref.b.2"></span><span id="rfc.iref.u.1"></span><span id="rfc.iref.u.2"></span><span id="rfc.iref.p.1"></span>   basic-credentials = base64-user-pass
680   base64-user-pass  = &lt;base64 <a href="#RFC4648"><cite title="The Base16, Base32, and Base64 Data Encodings">[RFC4648]</cite></a> encoding of user-pass,
681                    except not limited to 76 char/line&gt;
682   user-pass   = userid ":" password
683   userid      = *&lt;TEXT excluding ":"&gt;
684   password    = *TEXT
685</pre><p id="rfc.section.3.p.9">Userids might be case sensitive.</p>
686      <p id="rfc.section.3.p.10">If the user agent wishes to send the userid "Aladdin" and password "open sesame", it would use the following header field:</p>
687      <div id="rfc.figure.u.4"></div><pre class="text">   Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
688</pre><p id="rfc.section.3.p.12">A client <em class="bcp14">SHOULD</em> assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are
689         within the protection space specified by the Basic realm value of the current challenge. A client <em class="bcp14">MAY</em> preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another
690         challenge from the server. Similarly, when a client sends a request to a proxy, it may reuse a userid and password in the
691         Proxy-Authorization header field without receiving another challenge from the proxy server. See <a href="#security.considerations" title="Security Considerations">Section&nbsp;4</a> for security considerations associated with Basic authentication.
692      </p>
693      <h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a>&nbsp;<a id="security.considerations" href="#security.considerations">Security Considerations</a></h1>
694      <p id="rfc.section.4.p.1">The Basic authentication scheme is not a secure method of user authentication, nor does it in any way protect the entity,
695         which is transmitted in cleartext across the physical network used as the carrier. HTTP does not prevent the addition of enhancements
696         (such as schemes to use one-time passwords) to Basic authentication.
697      </p>
698      <p id="rfc.section.4.p.2">The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password
699         over the physical network. Many other authentication schemes address this problem.
700      </p>
701      <p id="rfc.section.4.p.3">Because Basic authentication involves the cleartext transmission of passwords it <em class="bcp14">SHOULD NOT</em> be used (without enhancements) to protect sensitive or valuable information.
702      </p>
703      <p id="rfc.section.4.p.4">A common use of Basic authentication is for identification purposes — requiring the user to provide a user name and password
704         as a means of identification, for example, for purposes of gathering accurate usage statistics on a server. When used in this
705         way it is tempting to think that there is no danger in its use if illicit access to the protected documents is not a major
706         concern. This is only correct if the server issues both user name and password to the users and in particular does not allow
707         the user to choose his or her own password. The danger arises because naive users frequently reuse a single password to avoid
708         the task of maintaining multiple passwords.
709      </p>
710      <p id="rfc.section.4.p.5">If a server permits users to select their own passwords, then the threat is not only unauthorized access to documents on the
711         server but also unauthorized access to any other resources on other systems that the user protects with the same password.
712         Furthermore, in the server's password database, many of the passwords may also be users' passwords for other sites. The owner
713         or administrator of such a system could therefore expose all users of the system to the risk of unauthorized access to all
714         those sites if this information is not maintained in a secure fashion.
715      </p>
716      <p id="rfc.section.4.p.6">Basic Authentication is also vulnerable to spoofing by counterfeit servers. If a user can be led to believe that he is connecting
717         to a host containing information protected by Basic authentication when, in fact, he is connecting to a hostile server or
718         gateway, then the attacker can request a password, store it for later use, and feign an error. This type of attack is not
719         possible with Digest Authentication. Server implementers <em class="bcp14">SHOULD</em> guard against the possibility of this sort of counterfeiting by gateways or CGI scripts. In particular it is very dangerous
720         for a server to simply turn over a connection to a gateway. That gateway can then use the persistent connection mechanism
721         to engage in multiple transactions with the client while impersonating the original server in a way that is not detectable
722         by the client.
723      </p>
724      <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;<a id="iana.considerations" href="#iana.considerations">IANA Considerations</a></h1>
725      <p id="rfc.section.5.p.1">IANA maintains the registry of HTTP Authentication Schemes (<a href="#draft-ietf-httpbis-p7-auth"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[draft-ietf-httpbis-p7-auth]</cite></a>) at &lt;<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>&gt;.
726      </p>
727      <p id="rfc.section.5.p.2">The entry for the "Basic" Authentication Scheme shall be updated with a pointer to this specification.</p>
728      <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a>&nbsp;Acknowledgements
729      </h1>
730      <p id="rfc.section.6.p.1">This specification takes over the definition of the "Basic" HTTP Authentication Scheme, previously defined in RFC 2617. We
731         thank John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence
732         C. Stewart for their work on that specification, from which significant amounts of text was borrowed. See <a href="http://tools.ietf.org/html/rfc2617#section-6">Section 6</a> of <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a> for further acknowledgements.
733      </p>
734      <h1 id="rfc.references"><a id="rfc.section.7" href="#rfc.section.7">7.</a> References
735      </h1>
736      <h2 id="rfc.references.1"><a href="#rfc.section.7.1" id="rfc.section.7.1">7.1</a> Normative References
737      </h2>
738      <table>
739         <tr>
740            <td class="reference"><b id="RFC2119">[RFC2119]</b></td>
741            <td class="top">Bradner, S., “<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>”, BCP&nbsp;14, RFC&nbsp;2119, March&nbsp;1997.
742            </td>
743         </tr>
744         <tr>
745            <td class="reference"><b id="RFC4648">[RFC4648]</b></td>
746            <td class="top">Josefsson, S., “<a href="http://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>”, RFC&nbsp;4648, October&nbsp;2006.
747            </td>
748         </tr>
749         <tr>
750            <td class="reference"><b id="draft-ietf-httpbis-p7-auth">[draft-ietf-httpbis-p7-auth]</b></td>
751            <td class="top">Fielding, R., Ed. and J. Reschke, Ed., “<a href="http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-23">Hypertext Transfer Protocol (HTTP/1.1): Authentication</a>”, Internet-Draft&nbsp;draft-ietf-httpbis-p7-auth-23 (work in progress), July&nbsp;2013.
752            </td>
753         </tr>
754      </table>
755      <h2 id="rfc.references.2"><a href="#rfc.section.7.2" id="rfc.section.7.2">7.2</a> Informative References
756      </h2>
757      <table>
758         <tr>
759            <td class="reference"><b id="RFC2617">[RFC2617]</b></td>
760            <td class="top">Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
761            </td>
762         </tr>
763         <tr>
764            <td class="reference"><b id="RFC5246">[RFC5246]</b></td>
765            <td class="top">Dierks, T. and E. Rescorla, “<a href="http://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a>”, RFC&nbsp;5246, August&nbsp;2008.
766            </td>
767         </tr>
768         <tr>
769            <td class="reference"><b id="draft-ietf-httpauth-digest-update">[draft-ietf-httpauth-digest-update]</b></td>
770            <td class="top">Shekh-Yusef, R. and D. Ahrens, “<a href="http://tools.ietf.org/html/draft-ietf-httpauth-digest-update-05">HTTP Digest Update</a>”, Internet-Draft&nbsp;draft-ietf-httpauth-digest-update-05 (work in progress), September&nbsp;2013.
771            </td>
772         </tr>
773      </table>
774      <div class="avoidbreak">
775         <h1 id="rfc.authors"><a href="#rfc.authors">Author's Address</a></h1>
776         <address><span class="vcardline"><b>Julian F. Reschke</b></span><span class="vcardline">greenbytes GmbH</span><span class="vcardline">Hafenweg 16</span><span class="vcardline">Muenster, NW&nbsp;48155</span><span class="vcardline">Germany</span><span class="vcardline">Email: <a href="mailto:julian.reschke@greenbytes.de">julian.reschke@greenbytes.de</a></span><span class="vcardline">URI: <a href="http://greenbytes.de/tech/webdav/">http://greenbytes.de/tech/webdav/</a></span></address>
777      </div>
778      <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;<a id="change.log" href="#change.log">Change Log (to be removed by RFC Editor before publication)</a></h1>
779      <h2 id="rfc.section.A.1"><a href="#rfc.section.A.1">A.1</a>&nbsp;<a id="changes.since.rfc2617" href="#changes.since.rfc2617">Since RFC 2617</a></h2>
780      <p id="rfc.section.A.1.p.1">This draft acts as a baseline for tracking subsequent changes to the specification. As such, it extracts the definition of
781         "Basic", plus the related Security Considerations, and also adds the IANA registration of the scheme. Changes to the actual
782         definition will be made in subsequent drafts.
783      </p>
784      <h2 id="rfc.section.A.2"><a href="#rfc.section.A.2">A.2</a>&nbsp;<a id="changes.since.00" href="#changes.since.00">Since draft-ietf-httpauth-basicauth-update-00</a></h2>
785      <p id="rfc.section.A.2.p.1">Fixed Base64 reference to point to an actual definition of Base64.</p>
786      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
787      <p class="noprint"><a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.U">U</a>
788      </p>
789      <div class="print2col">
790         <ul class="ind">
791            <li><a id="rfc.index.B" href="#rfc.index.B"><b>B</b></a><ul>
792                  <li><tt>base64-user-pass</tt>&nbsp;&nbsp;<a href="#rfc.iref.b.2"><b>3</b></a></li>
793                  <li><tt>basic-credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.b.1"><b>3</b></a></li>
794               </ul>
795            </li>
796            <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul>
797                  <li>challenge&nbsp;&nbsp;<a href="#rfc.iref.c.1">3</a></li>
798                  <li>credentials&nbsp;&nbsp;<a href="#rfc.iref.c.2">3</a></li>
799               </ul>
800            </li>
801            <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
802                  <li><tt>password</tt>&nbsp;&nbsp;<a href="#rfc.iref.p.1"><b>3</b></a></li>
803               </ul>
804            </li>
805            <li><a id="rfc.index.U" href="#rfc.index.U"><b>U</b></a><ul>
806                  <li><tt>user-pass</tt>&nbsp;&nbsp;<a href="#rfc.iref.u.1"><b>3</b></a></li>
807                  <li><tt>userid</tt>&nbsp;&nbsp;<a href="#rfc.iref.u.2"><b>3</b></a></li>
808               </ul>
809            </li>
810         </ul>
811      </div>
812   </body>
813</html>
Note: See TracBrowser for help on using the repository browser.