source: draft-ietf-httpauth-basicauth-update/latest/draft-ietf-httpauth-basicauth-update.html @ 28

Last change on this file since 28 was 28, checked in by julian.reschke@…, 8 years ago

add ABNF ref and fix ABNF

File size: 36.1 KB
Line 
1<!DOCTYPE html
2  PUBLIC "-//W3C//DTD HTML 4.01//EN">
3<html lang="en">
4   <head profile="http://dublincore.org/documents/2008/08/04/dc-html/">
5      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
6      <title>The 'Basic' HTTP Authentication Scheme</title><script>
7var buttonsAdded = false;
8
9function init() {
10  var fb = document.createElement("div");
11  fb.className = "feedback noprint";
12  fb.setAttribute("onclick", "feedback();");
13  fb.appendChild(document.createTextNode("feedback"));
14
15  var bodyl = document.getElementsByTagName("body");
16  bodyl.item(0).appendChild(fb);
17}
18
19function feedback() {
20  toggleButtonsToElementsByName("h1");
21  toggleButtonsToElementsByName("h2");
22  toggleButtonsToElementsByName("h3");
23  toggleButtonsToElementsByName("h4");
24
25  buttonsAdded = !buttonsAdded;
26}
27
28function toggleButtonsToElementsByName(name) {
29  var list = document.getElementsByTagName(name);
30  for (var i = 0; i < list.length; i++) {
31    toggleButton(list.item(i));
32  }
33}
34
35function toggleButton(node) {
36  if (! buttonsAdded) {
37
38    // docname
39    var template = "mailto:http-auth@ietf.org?subject={docname},%20%22{section}%22&body=<{ref}>:";
40
41    var id = node.getAttribute("id");
42    // better id available?
43    var titlelinks = node.getElementsByTagName("a");
44    for (var i = 0; i < titlelinks.length; i++) {
45      var tl = titlelinks.item(i);
46      if (tl.getAttribute("id")) {
47        id = tl.getAttribute("id");
48      }
49    }
50
51    // ref
52    var ref = window.location.toString();
53    var hash = ref.indexOf("#");
54    if (hash != -1) {
55      ref = ref.substring(0, hash);
56    }
57    if (id != "") {
58      ref += "#" + id;
59    }
60
61    // docname
62    var docname = "draft-ietf-httpauth-basicauth-update-latest";
63
64    // section
65    var section = node.textContent;
66    section = section.replace("\u00a0", " ");
67
68    // build URI from template
69    var uri = template.replace("{docname}", encodeURIComponent(docname));
70    uri = uri.replace("{section}", encodeURIComponent(section));
71    uri = uri.replace("{ref}", encodeURIComponent(ref));
72
73    var button = document.createElement("a");
74    button.className = "fbbutton noprint";
75    button.setAttribute("href", uri);
76    button.appendChild(document.createTextNode("send feedback"));
77    node.appendChild(button);
78  }
79  else {
80    var buttons = node.getElementsByTagName("a");
81    for (var i = 0; i < buttons.length; i++) {
82      var b = buttons.item(i);
83      if (b.className == "fbbutton noprint") {
84        node.removeChild(b);
85      }
86    }
87  }
88}</script><style type="text/css" title="Xml2Rfc (sans serif)">
89a {
90  text-decoration: none;
91}
92a.smpl {
93  color: black;
94}
95a:hover {
96  text-decoration: underline;
97}
98a:active {
99  text-decoration: underline;
100}
101address {
102  margin-top: 1em;
103  margin-left: 2em;
104  font-style: normal;
105}
106body {
107  color: black;
108  font-family: verdana, helvetica, arial, sans-serif;
109  font-size: 10pt;
110  margin-right: 2em;
111}
112cite {
113  font-style: normal;
114}
115dl {
116  margin-left: 2em;
117}
118ul.empty {
119  list-style-type: none;
120}
121ul.empty li {
122  margin-top: .5em;
123}
124dl p {
125  margin-left: 0em;
126}
127dt {
128  margin-top: .5em;
129}
130h1 {
131  font-size: 14pt;
132  line-height: 21pt;
133  page-break-after: avoid;
134}
135h1.np {
136  page-break-before: always;
137}
138h1 a {
139  color: #333333;
140}
141h2 {
142  font-size: 12pt;
143  line-height: 15pt;
144  page-break-after: avoid;
145}
146h3, h4, h5, h6 {
147  font-size: 10pt;
148  page-break-after: avoid;
149}
150h2 a, h3 a, h4 a, h5 a, h6 a {
151  color: black;
152}
153img {
154  margin-left: 3em;
155}
156li {
157  margin-left: 2em;
158}
159ol {
160  margin-left: 2em;
161}
162ol.la {
163  list-style-type: lower-alpha;
164}
165ol.ua {
166  list-style-type: upper-alpha;
167}
168ol p {
169  margin-left: 0em;
170}
171p {
172  margin-left: 2em;
173}
174pre {
175  margin-left: 3em;
176  background-color: lightyellow;
177  padding: .25em;
178  page-break-inside: avoid;
179}
180pre.text2 {
181  border-style: dotted;
182  border-width: 1px;
183  background-color: #f0f0f0;
184  width: 69em;
185}
186pre.inline {
187  background-color: white;
188  padding: 0em;
189}
190pre.text {
191  border-style: dotted;
192  border-width: 1px;
193  background-color: #f8f8f8;
194  width: 69em;
195}
196pre.drawing {
197  border-style: solid;
198  border-width: 1px;
199  background-color: #f8f8f8;
200  padding: 2em;
201}
202table {
203  margin-left: 2em;
204}
205table.header {
206  border-spacing: 1px;
207  width: 95%;
208  font-size: 10pt;
209  color: white;
210}
211td.top {
212  vertical-align: top;
213}
214td.topnowrap {
215  vertical-align: top;
216  white-space: nowrap;
217}
218table.header td {
219  background-color: gray;
220  width: 50%;
221}
222table.header a {
223  color: white;
224}
225td.reference {
226  vertical-align: top;
227  white-space: nowrap;
228  padding-right: 1em;
229}
230thead {
231  display:table-header-group;
232}
233ul.toc, ul.toc ul {
234  list-style: none;
235  margin-left: 1.5em;
236  padding-left: 0em;
237}
238ul.toc li {
239  line-height: 150%;
240  font-weight: bold;
241  font-size: 10pt;
242  margin-left: 0em;
243}
244ul.toc li li {
245  line-height: normal;
246  font-weight: normal;
247  font-size: 9pt;
248  margin-left: 0em;
249}
250li.excluded {
251  font-size: 0pt;
252}
253ul p {
254  margin-left: 0em;
255}
256ul.ind, ul.ind ul {
257  list-style: none;
258  margin-left: 1.5em;
259  padding-left: 0em;
260  page-break-before: avoid;
261}
262ul.ind li {
263  font-weight: bold;
264  line-height: 200%;
265  margin-left: 0em;
266}
267ul.ind li li {
268  font-weight: normal;
269  line-height: 150%;
270  margin-left: 0em;
271}
272.avoidbreak {
273  page-break-inside: avoid;
274}
275.bcp14 {
276  font-style: normal;
277  text-transform: lowercase;
278  font-variant: small-caps;
279}
280.comment {
281  background-color: yellow;
282}
283.center {
284  text-align: center;
285}
286.error {
287  color: red;
288  font-style: italic;
289  font-weight: bold;
290}
291.figure {
292  font-weight: bold;
293  text-align: center;
294  font-size: 9pt;
295}
296.filename {
297  color: #333333;
298  font-weight: bold;
299  font-size: 12pt;
300  line-height: 21pt;
301  text-align: center;
302}
303.fn {
304  font-weight: bold;
305}
306.left {
307  text-align: left;
308}
309.right {
310  text-align: right;
311}
312.title {
313  color: #990000;
314  font-size: 18pt;
315  line-height: 18pt;
316  font-weight: bold;
317  text-align: center;
318  margin-top: 36pt;
319}
320.vcardline {
321  display: block;
322}
323.warning {
324  font-size: 14pt;
325  background-color: yellow;
326}
327
328table.openissue {
329  background-color: khaki;
330  border-width: thin;
331  border-style: solid;
332  border-color: black;
333}
334table.closedissue {
335  background-color: white;
336  border-width: thin;
337  border-style: solid;
338  border-color: gray;
339  color: gray;
340}
341thead th {
342  text-align: left;
343}
344.bg-issue {
345  border: solid;
346  border-width: 1px;
347  font-size: 7pt;
348}
349.closed-issue {
350  border: solid;
351  border-width: thin;
352  background-color: lime;
353  font-size: smaller;
354  font-weight: bold;
355}
356.open-issue {
357  border: solid;
358  border-width: thin;
359  background-color: red;
360  font-size: smaller;
361  font-weight: bold;
362}
363.editor-issue {
364  border: solid;
365  border-width: thin;
366  background-color: yellow;
367  font-size: smaller;
368  font-weight: bold;
369}.feedback {
370  position: fixed;
371  bottom: 1%;
372  right: 1%;
373  padding: 3px 5px;
374  color: white;
375  border-radius: 5px;
376  background: #a00000;
377  border: 1px solid silver;
378}
379.fbbutton {
380  margin-left: 1em;
381  color: #303030;
382  font-size: small;
383  font-weight: normal;
384  background: #d0d000;
385  padding: 1px 4px;
386  border: 1px solid silver;
387  border-radius: 5px;
388}
389
390@media print {
391  .noprint {
392    display: none;
393  }
394
395  a {
396    color: black;
397    text-decoration: none;
398  }
399
400  table.header {
401    width: 90%;
402  }
403
404  td.header {
405    width: 50%;
406    color: black;
407    background-color: white;
408    vertical-align: top;
409    font-size: 12pt;
410  }
411
412  ul.toc a:nth-child(2)::after {
413    content: leader('.') target-counter(attr(href), page);
414  }
415
416  ul.ind li li a {
417    content: target-counter(attr(href), page);
418  }
419
420  .print2col {
421    column-count: 2;
422    -moz-column-count: 2;
423    column-fill: auto;
424  }
425}
426
427@page {
428  @top-left {
429       content: "Internet-Draft";
430  }
431  @top-right {
432       content: "September 2013";
433  }
434  @top-center {
435       content: "'Basic' HTTP Authentication Scheme";
436  }
437  @bottom-left {
438       content: "Reschke";
439  }
440  @bottom-center {
441       content: "Expires March 23, 2014";
442  }
443  @bottom-right {
444       content: "[Page " counter(page) "]";
445  }
446}
447
448@page:first {
449    @top-left {
450      content: normal;
451    }
452    @top-right {
453      content: normal;
454    }
455    @top-center {
456      content: normal;
457    }
458}
459</style><link rel="Contents" href="#rfc.toc">
460      <link rel="Author" href="#rfc.authors">
461      <link rel="Copyright" href="#rfc.copyrightnotice">
462      <link rel="Index" href="#rfc.index">
463      <link rel="Chapter" title="1 Introduction" href="#rfc.section.1">
464      <link rel="Chapter" title="2 The 'Basic' Authentication Scheme" href="#rfc.section.2">
465      <link rel="Chapter" title="3 Security Considerations" href="#rfc.section.3">
466      <link rel="Chapter" title="4 IANA Considerations" href="#rfc.section.4">
467      <link rel="Chapter" title="5 Acknowledgements" href="#rfc.section.5">
468      <link rel="Chapter" href="#rfc.section.6" title="6 References">
469      <link rel="Appendix" title="A Change Log (to be removed by RFC Editor before publication)" href="#rfc.section.A">
470      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.599, 2013/08/29 10:34:28, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
471      <link rel="schema.dct" href="http://purl.org/dc/terms/">
472      <meta name="dct.creator" content="Reschke, J. F.">
473      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpauth-basicauth-update-latest">
474      <meta name="dct.issued" scheme="ISO8601" content="2013-09-19">
475      <meta name="dct.abstract" content="This document defines the &#34;Basic&#34; Hypertext Transfer Protocol (HTTP) Authentication Scheme.">
476      <meta name="description" content="This document defines the &#34;Basic&#34; Hypertext Transfer Protocol (HTTP) Authentication Scheme.">
477   </head>
478   <body onload="init();">
479      <table class="header">
480         <tbody>
481            <tr>
482               <td class="left">HTTPAuth Working Group</td>
483               <td class="right">J. Reschke</td>
484            </tr>
485            <tr>
486               <td class="left">Internet-Draft</td>
487               <td class="right">greenbytes</td>
488            </tr>
489            <tr>
490               <td class="left">Updates: <a href="http://tools.ietf.org/html/rfc2617">2617</a> (if approved)
491               </td>
492               <td class="right">September 19, 2013</td>
493            </tr>
494            <tr>
495               <td class="left">Intended status: Standards Track</td>
496               <td class="right"></td>
497            </tr>
498            <tr>
499               <td class="left">Expires: March 23, 2014</td>
500               <td class="right"></td>
501            </tr>
502         </tbody>
503      </table>
504      <p class="title">The 'Basic' HTTP Authentication Scheme<br><span class="filename">draft-ietf-httpauth-basicauth-update-latest</span></p>
505      <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
506      <p>This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme.</p>
507      <h1 id="rfc.note.1"><a href="#rfc.note.1">Editorial Note (To be removed by RFC Editor before publication)</a></h1>
508      <p>Discussion of this draft takes place on the HTTPAuth working group mailing list (http-auth@ietf.org), which is archived at &lt;<a href="http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html">http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html</a>&gt;.
509      </p>
510      <p>XML versions, latest edits and the issues list for this document are available from &lt;<a href="http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update">http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update</a>&gt;.
511      </p>
512      <p>The changes in this draft are summarized in <a href="#changes.since.00" title="Since draft-ietf-httpauth-basicauth-update-00">Appendix&nbsp;A.2</a>.
513      </p>
514      <h1><a id="rfc.status" href="#rfc.status">Status of This Memo</a></h1>
515      <p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
516      <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute
517         working documents as Internet-Drafts. The list of current Internet-Drafts is at <a href="http://datatracker.ietf.org/drafts/current/">http://datatracker.ietf.org/drafts/current/</a>.
518      </p>
519      <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other
520         documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work
521         in progress”.
522      </p>
523      <p>This Internet-Draft will expire on March 23, 2014.</p>
524      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
525      <p>Copyright © 2013 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
526      <p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights
527         and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License
528         text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified
529         BSD License.
530      </p>
531      <p>This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November
532         10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to
533         allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s)
534         controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative
535         works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate
536         it into languages other than English.
537      </p>
538      <hr class="noprint">
539      <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
540      <ul class="toc">
541         <li><a href="#rfc.section.1">1.</a>&nbsp;&nbsp;&nbsp;<a href="#introduction">Introduction</a><ul>
542               <li><a href="#rfc.section.1.1">1.1</a>&nbsp;&nbsp;&nbsp;<a href="#notational.conventions">Notational Conventions</a><ul>
543                     <li><a href="#rfc.section.1.1.1">1.1.1</a>&nbsp;&nbsp;&nbsp;<a href="#syntax.notation">Syntax Notation</a></li>
544                  </ul>
545               </li>
546            </ul>
547         </li>
548         <li><a href="#rfc.section.2">2.</a>&nbsp;&nbsp;&nbsp;<a href="#basic.authentication.scheme">The 'Basic' Authentication Scheme</a></li>
549         <li><a href="#rfc.section.3">3.</a>&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a></li>
550         <li><a href="#rfc.section.4">4.</a>&nbsp;&nbsp;&nbsp;<a href="#iana.considerations">IANA Considerations</a></li>
551         <li><a href="#rfc.section.5">5.</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.section.5">Acknowledgements</a></li>
552         <li><a href="#rfc.section.6">6.</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.references">References</a><ul>
553               <li><a href="#rfc.section.6.1">6.1</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.references.1">Normative References</a></li>
554               <li><a href="#rfc.section.6.2">6.2</a>&nbsp;&nbsp;&nbsp;<a href="#rfc.references.2">Informative References</a></li>
555            </ul>
556         </li>
557         <li><a href="#rfc.authors">Author's Address</a></li>
558         <li><a href="#rfc.section.A">A.</a>&nbsp;&nbsp;&nbsp;<a href="#change.log">Change Log (to be removed by RFC Editor before publication)</a><ul>
559               <li><a href="#rfc.section.A.1">A.1</a>&nbsp;&nbsp;&nbsp;<a href="#changes.since.rfc2617">Since RFC 2617</a></li>
560               <li><a href="#rfc.section.A.2">A.2</a>&nbsp;&nbsp;&nbsp;<a href="#changes.since.00">Since draft-ietf-httpauth-basicauth-update-00</a></li>
561            </ul>
562         </li>
563         <li><a href="#rfc.index">Index</a></li>
564      </ul>
565      <h2 id="rfc.issues-list"><a href="#rfc.issues-list">Issues list</a></h2>
566      <table>
567         <thead>
568            <tr>
569               <th>Id</th>
570               <th>Type</th>
571               <th>Status</th>
572               <th>Date</th>
573               <th>Raised By</th>
574            </tr>
575         </thead>
576         <tbody>
577            <tr>
578               <td><a href="#rfc.issue.edit">edit</a></td>
579               <td>edit</td>
580               <td>open</td>
581               <td>2013-09-11</td>
582               <td><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20edit">julian.reschke@greenbytes.de</a></td>
583            </tr>
584            <tr>
585               <td><a href="#rfc.issue.enc">enc</a></td>
586               <td>change</td>
587               <td>open</td>
588               <td>2013-09-12</td>
589               <td><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20enc">julian.reschke@greenbytes.de</a></td>
590            </tr>
591            <tr>
592               <td><a href="#rfc.issue.upd">upd</a></td>
593               <td>change</td>
594               <td>open</td>
595               <td>2013-09-12</td>
596               <td><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20upd">julian.reschke@greenbytes.de</a></td>
597            </tr>
598         </tbody>
599      </table>
600      <table class="openissue">
601         <tr>
602            <td colspan="3"><a id="rfc.issue.edit" class="open-issue">&nbsp;I&nbsp;</a>&nbsp;<em>edit</em>
603               &nbsp;
604               (type: edit, status: open)
605               
606            </td>
607         </tr>
608         <tr>
609            <td class="top"><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20edit"><i>julian.reschke@greenbytes.de</i></a></td>
610            <td class="topnowrap">2013-09-11</td>
611            <td class="top">
612               Umbrella issue for editorial fixes/enhancements.
613               
614            </td>
615         </tr>
616      </table>
617      <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;<a id="introduction" href="#introduction">Introduction</a></h1>
618      <p id="rfc.section.1.p.1">This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme (<a href="#draft-ietf-httpbis-p7-auth"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[draft-ietf-httpbis-p7-auth]</cite></a>). This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external
619         secure system such as TLS (Transport Layer Security, <a href="#RFC5246"><cite title="The Transport Layer Security (TLS) Protocol Version 1.2">[RFC5246]</cite></a>), as the user name and password are passed over the network as cleartext.
620      </p>
621      <p id="rfc.section.1.p.2">The "Basic" scheme previously was defined in <a href="http://tools.ietf.org/html/rfc2617#section-2">Section 2</a> of <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This document updates the definition, and also addresses internationalization issues.
622      </p>
623      <p id="rfc.section.1.p.3">Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" (<a href="#draft-ietf-httpbis-p7-auth"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[draft-ietf-httpbis-p7-auth]</cite></a>, defining the authentication framework) and "HTTP Digest Update" (<a href="#draft-ietf-httpauth-digest-update"><cite title="HTTP Digest Update">[draft-ietf-httpauth-digest-update]</cite></a>, updating the definition of the '"Digest" authentication scheme).
624      </p>
625      <h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a>&nbsp;<a id="notational.conventions" href="#notational.conventions">Notational Conventions</a></h2>
626      <p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
627         in this document are to be interpreted as described in <a href="#RFC2119"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>.
628      </p>
629      <h3 id="rfc.section.1.1.1"><a href="#rfc.section.1.1.1">1.1.1</a>&nbsp;<a id="syntax.notation" href="#syntax.notation">Syntax Notation</a></h3>
630      <p id="rfc.section.1.1.1.p.1">This specification uses the Augmented Backus-Naur Form (ABNF) notation of <a href="#RFC5234"><cite title="Augmented BNF for Syntax Specifications: ABNF">[RFC5234]</cite></a>.
631      </p>
632      <h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a>&nbsp;<a id="basic.authentication.scheme" href="#basic.authentication.scheme">The 'Basic' Authentication Scheme</a></h1>
633      <table class="openissue">
634         <tr>
635            <td colspan="3"><a id="rfc.issue.upd" class="open-issue">&nbsp;I&nbsp;</a>&nbsp;<em>upd</em>
636               &nbsp;
637               (type: change, status: open)
638               
639            </td>
640         </tr>
641         <tr>
642            <td class="top"><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20upd"><i>julian.reschke@greenbytes.de</i></a></td>
643            <td class="topnowrap">2013-09-12</td>
644            <td class="top">
645               Update the definition to reflect underlying changes (RFC2616-&gt;httpbis,
646               RFC2396-&gt;2616, other references).
647               
648            </td>
649         </tr>
650      </table>
651      <table class="openissue">
652         <tr>
653            <td colspan="3"><a id="rfc.issue.enc" class="open-issue">&nbsp;I&nbsp;</a>&nbsp;<em>enc</em>
654               &nbsp;
655               (type: change, status: open)
656               
657            </td>
658         </tr>
659         <tr>
660            <td class="top"><a href="mailto:julian.reschke@greenbytes.de?subject=draft-ietf-httpauth-basicauth-update-latest,%20enc"><i>julian.reschke@greenbytes.de</i></a></td>
661            <td class="topnowrap">2013-09-12</td>
662            <td class="top">
663               Fix the encoding issue, by pulling in draft-ietf-httpauth-basicauth-enc.
664               
665            </td>
666         </tr>
667      </table>
668      <p id="rfc.section.2.p.1">The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password
669         for each realm. The realm value should be considered an opaque string which can only be compared for equality with other realms
670         on that server. The server will service the request only if it can validate the user-ID and password for the protection space
671         of the Request-URI. There are no optional authentication parameters.
672      </p>
673      <p id="rfc.section.2.p.2">For Basic, the framework above is utilized as follows:</p>
674      <div id="rfc.figure.u.1"></div><pre class="inline"><span id="rfc.iref.c.1"></span><span id="rfc.iref.c.2"></span>   challenge   = "Basic" realm
675   credentials = "Basic" basic-credentials
676</pre><p id="rfc.section.2.p.4">Upon receipt of an unauthorized request for a URI within the protection space, the origin server <em class="bcp14">MAY</em> respond with a challenge like the following:
677      </p>
678      <div id="rfc.figure.u.2"></div><pre class="text">   WWW-Authenticate: Basic realm="WallyWorld"
679</pre><p id="rfc.section.2.p.6">where "WallyWorld" is the string assigned by the server to identify the protection space of the Request-URI. A proxy may respond
680         with the same challenge using the Proxy-Authenticate header field.
681      </p>
682      <p id="rfc.section.2.p.7">To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a
683         base64 encoded string in the credentials (<a href="#RFC4648"><cite title="The Base16, Base32, and Base64 Data Encodings">[RFC4648]</cite></a>, <a href="http://tools.ietf.org/html/rfc4648#section-4">Section 4</a>).
684      </p>
685      <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.b.1"></span><span id="rfc.iref.b.2"></span><span id="rfc.iref.u.1"></span><span id="rfc.iref.u.2"></span><span id="rfc.iref.p.1"></span>   basic-credentials = base64-user-pass
686   base64-user-pass  = &lt;base64 encoded user-pass&gt;
687                     ; <a href="#RFC4648"><cite title="The Base16, Base32, and Base64 Data Encodings">[RFC4648]</cite></a> encoding of user-pass,
688                     ; except not limited to 76 char/line
689   user-pass   = userid ":" password
690   userid      = *&lt;TEXT excluding ":"&gt;
691   password    = *TEXT
692</pre><p id="rfc.section.2.p.9">Userids might be case sensitive.</p>
693      <p id="rfc.section.2.p.10">If the user agent wishes to send the userid "Aladdin" and password "open sesame", it would use the following header field:</p>
694      <div id="rfc.figure.u.4"></div><pre class="text">   Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
695</pre><p id="rfc.section.2.p.12">A client <em class="bcp14">SHOULD</em> assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are
696         within the protection space specified by the Basic realm value of the current challenge. A client <em class="bcp14">MAY</em> preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another
697         challenge from the server. Similarly, when a client sends a request to a proxy, it may reuse a userid and password in the
698         Proxy-Authorization header field without receiving another challenge from the proxy server. See <a href="#security.considerations" title="Security Considerations">Section&nbsp;3</a> for security considerations associated with Basic authentication.
699      </p>
700      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="security.considerations" href="#security.considerations">Security Considerations</a></h1>
701      <p id="rfc.section.3.p.1">The Basic authentication scheme is not a secure method of user authentication, nor does it in any way protect the entity,
702         which is transmitted in cleartext across the physical network used as the carrier. HTTP does not prevent the addition of enhancements
703         (such as schemes to use one-time passwords) to Basic authentication.
704      </p>
705      <p id="rfc.section.3.p.2">The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password
706         over the physical network. Many other authentication schemes address this problem.
707      </p>
708      <p id="rfc.section.3.p.3">Because Basic authentication involves the cleartext transmission of passwords it <em class="bcp14">SHOULD NOT</em> be used (without enhancements) to protect sensitive or valuable information.
709      </p>
710      <p id="rfc.section.3.p.4">A common use of Basic authentication is for identification purposes — requiring the user to provide a user name and password
711         as a means of identification, for example, for purposes of gathering accurate usage statistics on a server. When used in this
712         way it is tempting to think that there is no danger in its use if illicit access to the protected documents is not a major
713         concern. This is only correct if the server issues both user name and password to the users and in particular does not allow
714         the user to choose his or her own password. The danger arises because naive users frequently reuse a single password to avoid
715         the task of maintaining multiple passwords.
716      </p>
717      <p id="rfc.section.3.p.5">If a server permits users to select their own passwords, then the threat is not only unauthorized access to documents on the
718         server but also unauthorized access to any other resources on other systems that the user protects with the same password.
719         Furthermore, in the server's password database, many of the passwords may also be users' passwords for other sites. The owner
720         or administrator of such a system could therefore expose all users of the system to the risk of unauthorized access to all
721         those sites if this information is not maintained in a secure fashion.
722      </p>
723      <p id="rfc.section.3.p.6">Basic Authentication is also vulnerable to spoofing by counterfeit servers. If a user can be led to believe that he is connecting
724         to a host containing information protected by Basic authentication when, in fact, he is connecting to a hostile server or
725         gateway, then the attacker can request a password, store it for later use, and feign an error. This type of attack is not
726         possible with Digest Authentication. Server implementers <em class="bcp14">SHOULD</em> guard against the possibility of this sort of counterfeiting by gateways or CGI scripts. In particular it is very dangerous
727         for a server to simply turn over a connection to a gateway. That gateway can then use the persistent connection mechanism
728         to engage in multiple transactions with the client while impersonating the original server in a way that is not detectable
729         by the client.
730      </p>
731      <h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a>&nbsp;<a id="iana.considerations" href="#iana.considerations">IANA Considerations</a></h1>
732      <p id="rfc.section.4.p.1">IANA maintains the registry of HTTP Authentication Schemes (<a href="#draft-ietf-httpbis-p7-auth"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[draft-ietf-httpbis-p7-auth]</cite></a>) at &lt;<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>&gt;.
733      </p>
734      <p id="rfc.section.4.p.2">The entry for the "Basic" Authentication Scheme shall be updated with a pointer to this specification.</p>
735      <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;Acknowledgements
736      </h1>
737      <p id="rfc.section.5.p.1">This specification takes over the definition of the "Basic" HTTP Authentication Scheme, previously defined in RFC 2617. We
738         thank John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence
739         C. Stewart for their work on that specification, from which significant amounts of text was borrowed. See <a href="http://tools.ietf.org/html/rfc2617#section-6">Section 6</a> of <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a> for further acknowledgements.
740      </p>
741      <h1 id="rfc.references"><a id="rfc.section.6" href="#rfc.section.6">6.</a> References
742      </h1>
743      <h2 id="rfc.references.1"><a href="#rfc.section.6.1" id="rfc.section.6.1">6.1</a> Normative References
744      </h2>
745      <table>
746         <tr>
747            <td class="reference"><b id="RFC2119">[RFC2119]</b></td>
748            <td class="top">Bradner, S., “<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>”, BCP&nbsp;14, RFC&nbsp;2119, March&nbsp;1997.
749            </td>
750         </tr>
751         <tr>
752            <td class="reference"><b id="RFC4648">[RFC4648]</b></td>
753            <td class="top">Josefsson, S., “<a href="http://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>”, RFC&nbsp;4648, October&nbsp;2006.
754            </td>
755         </tr>
756         <tr>
757            <td class="reference"><b id="RFC5234">[RFC5234]</b></td>
758            <td class="top"><a href="mailto:dcrocker@bbiw.net" title="Brandenburg InternetWorking">Crocker, D., Ed.</a> and <a href="mailto:paul.overell@thus.net" title="THUS plc.">P. Overell</a>, “<a href="http://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>”, STD&nbsp;68, RFC&nbsp;5234, January&nbsp;2008.
759            </td>
760         </tr>
761         <tr>
762            <td class="reference"><b id="draft-ietf-httpbis-p7-auth">[draft-ietf-httpbis-p7-auth]</b></td>
763            <td class="top">Fielding, R., Ed. and J. Reschke, Ed., “<a href="http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-23">Hypertext Transfer Protocol (HTTP/1.1): Authentication</a>”, Internet-Draft&nbsp;draft-ietf-httpbis-p7-auth-23 (work in progress), July&nbsp;2013.
764            </td>
765         </tr>
766      </table>
767      <h2 id="rfc.references.2"><a href="#rfc.section.6.2" id="rfc.section.6.2">6.2</a> Informative References
768      </h2>
769      <table>
770         <tr>
771            <td class="reference"><b id="RFC2617">[RFC2617]</b></td>
772            <td class="top">Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
773            </td>
774         </tr>
775         <tr>
776            <td class="reference"><b id="RFC5246">[RFC5246]</b></td>
777            <td class="top">Dierks, T. and E. Rescorla, “<a href="http://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a>”, RFC&nbsp;5246, August&nbsp;2008.
778            </td>
779         </tr>
780         <tr>
781            <td class="reference"><b id="draft-ietf-httpauth-digest-update">[draft-ietf-httpauth-digest-update]</b></td>
782            <td class="top">Shekh-Yusef, R. and D. Ahrens, “<a href="http://tools.ietf.org/html/draft-ietf-httpauth-digest-update-05">HTTP Digest Update</a>”, Internet-Draft&nbsp;draft-ietf-httpauth-digest-update-05 (work in progress), September&nbsp;2013.
783            </td>
784         </tr>
785      </table>
786      <div class="avoidbreak">
787         <h1 id="rfc.authors"><a href="#rfc.authors">Author's Address</a></h1>
788         <address><span class="vcardline"><b>Julian F. Reschke</b></span><span class="vcardline">greenbytes GmbH</span><span class="vcardline">Hafenweg 16</span><span class="vcardline">Muenster, NW&nbsp;48155</span><span class="vcardline">Germany</span><span class="vcardline">Email: <a href="mailto:julian.reschke@greenbytes.de">julian.reschke@greenbytes.de</a></span><span class="vcardline">URI: <a href="http://greenbytes.de/tech/webdav/">http://greenbytes.de/tech/webdav/</a></span></address>
789      </div>
790      <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;<a id="change.log" href="#change.log">Change Log (to be removed by RFC Editor before publication)</a></h1>
791      <h2 id="rfc.section.A.1"><a href="#rfc.section.A.1">A.1</a>&nbsp;<a id="changes.since.rfc2617" href="#changes.since.rfc2617">Since RFC 2617</a></h2>
792      <p id="rfc.section.A.1.p.1">This draft acts as a baseline for tracking subsequent changes to the specification. As such, it extracts the definition of
793         "Basic", plus the related Security Considerations, and also adds the IANA registration of the scheme. Changes to the actual
794         definition will be made in subsequent drafts.
795      </p>
796      <h2 id="rfc.section.A.2"><a href="#rfc.section.A.2">A.2</a>&nbsp;<a id="changes.since.00" href="#changes.since.00">Since draft-ietf-httpauth-basicauth-update-00</a></h2>
797      <p id="rfc.section.A.2.p.1">Fixed Base64 reference to point to an actual definition of Base64.</p>
798      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
799      <p class="noprint"><a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.U">U</a>
800      </p>
801      <div class="print2col">
802         <ul class="ind">
803            <li><a id="rfc.index.B" href="#rfc.index.B"><b>B</b></a><ul>
804                  <li><tt>base64-user-pass</tt>&nbsp;&nbsp;<a href="#rfc.iref.b.2"><b>2</b></a></li>
805                  <li><tt>basic-credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.b.1"><b>2</b></a></li>
806               </ul>
807            </li>
808            <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul>
809                  <li>challenge&nbsp;&nbsp;<a href="#rfc.iref.c.1">2</a></li>
810                  <li>credentials&nbsp;&nbsp;<a href="#rfc.iref.c.2">2</a></li>
811               </ul>
812            </li>
813            <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
814                  <li><tt>password</tt>&nbsp;&nbsp;<a href="#rfc.iref.p.1"><b>2</b></a></li>
815               </ul>
816            </li>
817            <li><a id="rfc.index.U" href="#rfc.index.U"><b>U</b></a><ul>
818                  <li><tt>user-pass</tt>&nbsp;&nbsp;<a href="#rfc.iref.u.1"><b>2</b></a></li>
819                  <li><tt>userid</tt>&nbsp;&nbsp;<a href="#rfc.iref.u.2"><b>2</b></a></li>
820               </ul>
821            </li>
822         </ul>
823      </div>
824   </body>
825</html>
Note: See TracBrowser for help on using the repository browser.