source: draft-ietf-httpauth-basicauth-update/latest/draft-ietf-httpauth-basicauth-update.xml @ 28

Last change on this file since 28 was 28, checked in by julian.reschke@…, 8 years ago

add ABNF ref and fix ABNF

  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/xml
File size: 16.4 KB
Line 
1<?xml version="1.0" encoding="utf-8"?>
2<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
3<?rfc toc="yes"?>
4<?rfc symrefs="yes"?>
5<?rfc sortrefs="yes"?>
6<?rfc compact="yes"?>
7<?rfc comments="yes"?>
8<?rfc inline="yes"?>
9<?rfc subcompact="no"?>
10<?rfc rfcedstyle="yes"?>
11<?rfc-ext allow-markup-in-artwork="yes" ?>
12
13<!DOCTYPE rfc [
14  <!ENTITY MAY "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MAY</bcp14>">
15  <!ENTITY MUST "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MUST</bcp14>">
16  <!ENTITY MUST-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MUST NOT</bcp14>">
17  <!ENTITY OPTIONAL "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>OPTIONAL</bcp14>">
18  <!ENTITY RECOMMENDED "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>RECOMMENDED</bcp14>">
19  <!ENTITY REQUIRED "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>REQUIRED</bcp14>">
20  <!ENTITY SHALL "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHALL</bcp14>">
21  <!ENTITY SHALL-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHALL NOT</bcp14>">
22  <!ENTITY SHOULD "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHOULD</bcp14>">
23  <!ENTITY SHOULD-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHOULD NOT</bcp14>">
24  <!ENTITY mdash "&#8212;">
25]>
26
27<rfc xmlns:x="http://purl.org/net/xml2rfc/ext" xmlns:ed="http://greenbytes.de/2002/rfcedit" ipr="pre5378Trust200902" docName="draft-ietf-httpauth-basicauth-update-latest" category="std" xml:lang="en" updates="2617" x:maturity-level="proposed">
28
29  <x:feedback template="mailto:http-auth@ietf.org?subject={docname},%20%22{section}%22&amp;body=&lt;{ref}&gt;:"/>
30
31        <front>
32  <title abbrev="'Basic' HTTP Authentication Scheme">The 'Basic' HTTP Authentication Scheme</title>
33  <author initials="J. F." surname="Reschke" fullname="Julian F. Reschke">
34    <organization abbrev="greenbytes">greenbytes GmbH</organization>
35    <address>
36      <postal>
37        <street>Hafenweg 16</street>
38        <city>Muenster</city><region>NW</region><code>48155</code>
39        <country>Germany</country>
40      </postal>
41      <email>julian.reschke@greenbytes.de</email>       
42      <uri>http://greenbytes.de/tech/webdav/</uri>     
43    </address>
44  </author>
45
46  <date month="September" year="2013"/>
47 
48  <area>Applications</area>
49  <workgroup>HTTPAuth Working Group</workgroup>
50 
51  <abstract>
52    <t>
53      This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
54      Authentication Scheme.
55    </t>
56  </abstract>
57 
58  <note title="Editorial Note (To be removed by RFC Editor before publication)">
59    <t>
60      Discussion of this draft takes place on the HTTPAuth working group
61      mailing list (http-auth@ietf.org), which is archived at
62      <eref target="http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html"/>.
63    </t>
64    <t>
65      XML versions, latest edits and the issues list for this document
66      are available from <eref target="http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update"/>.
67    </t>
68    <t>
69      The changes in this draft are summarized in <xref target="changes.since.00"/>.
70    </t>
71  </note>
72  </front>
73
74  <middle>
75
76
77<ed:issue name="edit" type="edit" status="open">
78  <ed:item entered-by="julian.reschke@greenbytes.de" date="2013-09-11">
79    Umbrella issue for editorial fixes/enhancements.
80  </ed:item>
81</ed:issue>
82
83<section title="Introduction" anchor="introduction">
84<t>
85  This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
86  Authentication Scheme (<xref target="draft-ietf-httpbis-p7-auth"/>).
87  This scheme is not considered to be a secure method of user authentication
88  unless used in conjunction with some external secure system such as TLS
89  (Transport Layer Security, <xref target="RFC5246"/>), as the user name and
90  password are passed over the network as cleartext.
91</t>
92<t>
93  The "Basic" scheme previously was defined in <xref target="RFC2617" x:fmt="of" x:sec="2"/>.
94  This document updates the definition, and also addresses internationalization issues.
95</t>
96<t>
97  Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication"
98  (<xref target="draft-ietf-httpbis-p7-auth"/>, defining the authentication framework) and
99  "HTTP Digest Update" (<xref target="draft-ietf-httpauth-digest-update"/>,
100  updating the definition of the '"Digest" authentication scheme).
101</t>
102
103<section title="Notational Conventions"  anchor="notational.conventions">
104<t>
105  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
106  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
107  are to be interpreted as described in <xref target="RFC2119"/>.
108</t>
109
110<section title="Syntax Notation" anchor="syntax.notation">
111<t>
112   This specification uses the Augmented Backus-Naur Form (ABNF) notation
113   of <xref target="RFC5234"/>.
114</t>
115</section>
116
117</section> 
118</section> 
119
120<section title="The 'Basic' Authentication Scheme" anchor="basic.authentication.scheme">
121<ed:issue name="upd" type="change" status="open">
122  <ed:item entered-by="julian.reschke@greenbytes.de" date="2013-09-12">
123    Update the definition to reflect underlying changes (RFC2616->httpbis,
124    RFC2396->2616, other references).
125  </ed:item>
126</ed:issue>
127<ed:issue name="enc" type="change" status="open">
128  <ed:item entered-by="julian.reschke@greenbytes.de" date="2013-09-12">
129    Fix the encoding issue, by pulling in draft-ietf-httpauth-basicauth-enc.
130  </ed:item>
131</ed:issue>
132<t>
133   The "basic" authentication scheme is based on the model that the
134   client must authenticate itself with a user-ID and a password for
135   each realm.  The realm value should be considered an opaque string
136   which can only be compared for equality with other realms on that
137   server. The server will service the request only if it can validate
138   the user-ID and password for the protection space of the Request-URI.
139   There are no optional authentication parameters.
140</t>
141<t>
142   For Basic, the framework above is utilized as follows:
143</t>
144<figure><artwork type="abnf"><iref item="challenge"/><iref item="credentials"/>
145   challenge   = "Basic" realm
146   credentials = "Basic" basic-credentials
147</artwork></figure>
148<t>
149   Upon receipt of an unauthorized request for a URI within the
150   protection space, the origin server &MAY; respond with a challenge like
151   the following:
152</t>
153<figure><artwork type="example">
154   WWW-Authenticate: Basic realm="WallyWorld"
155</artwork></figure>
156<t>
157   where "WallyWorld" is the string assigned by the server to identify
158   the protection space of the Request-URI. A proxy may respond with the
159   same challenge using the Proxy-Authenticate header field.
160</t>
161<t>
162   To receive authorization, the client sends the userid and password,
163   separated by a single colon (":") character, within a base64
164   encoded string in the credentials (<xref target="RFC4648" x:fmt="," x:sec="4"/>).
165</t>
166<figure><artwork type="abnf"><iref item="basic-credentials" primary="true"
167/><iref item="base64-user-pass" primary="true"
168/><iref item="user-pass" primary="true"
169/><iref item="userid" primary="true"
170/><iref item="password" primary="true"/>
171   basic-credentials = base64-user-pass
172   base64-user-pass  = &lt;base64 encoded user-pass>
173                     ; <xref target="RFC4648"/> encoding of user-pass,
174                     ; except not limited to 76 char/line
175   user-pass   = userid ":" password
176   userid      = *&lt;TEXT excluding ":">
177   password    = *TEXT
178</artwork></figure>
179<t>
180   Userids might be case sensitive.
181</t>
182<t>
183   If the user agent wishes to send the userid "Aladdin" and password
184   "open sesame", it would use the following header field:
185</t>
186<figure><artwork type="example">
187   Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
188</artwork></figure>
189<t>
190   A client &SHOULD; assume that all paths at or deeper than the depth of
191   the last symbolic element in the path field of the Request-URI also
192   are within the protection space specified by the Basic realm value of
193   the current challenge. A client &MAY; preemptively send the
194   corresponding Authorization header with requests for resources in
195   that space without receipt of another challenge from the server.
196   Similarly, when a client sends a request to a proxy, it may reuse a
197   userid and password in the Proxy-Authorization header field without
198   receiving another challenge from the proxy server. See <xref target="security.considerations"/> for
199   security considerations associated with Basic authentication.
200</t>
201</section> 
202
203<section title="Security Considerations" anchor="security.considerations">
204<t>
205   The Basic authentication scheme is not a secure method of user
206   authentication, nor does it in any way protect the entity, which is
207   transmitted in cleartext across the physical network used as the
208   carrier. HTTP does not prevent the addition of enhancements (such as
209   schemes to use one-time passwords) to Basic authentication.
210</t>
211<t>
212   The most serious flaw in Basic authentication is that it results in
213   the essentially cleartext transmission of the user's password over
214   the physical network. Many other authentication schemes address this
215   problem.
216</t>
217<t>
218   Because Basic authentication involves the cleartext transmission of
219   passwords it &SHOULD-NOT; be used (without enhancements) to protect
220   sensitive or valuable information.
221</t>
222<t>
223   A common use of Basic authentication is for identification purposes
224   &mdash; requiring the user to provide a user name and password as a means
225   of identification, for example, for purposes of gathering accurate
226   usage statistics on a server. When used in this way it is tempting to
227   think that there is no danger in its use if illicit access to the
228   protected documents is not a major concern. This is only correct if
229   the server issues both user name and password to the users and in
230   particular does not allow the user to choose his or her own password.
231   The danger arises because naive users frequently reuse a single
232   password to avoid the task of maintaining multiple passwords.
233</t>
234<t>
235   If a server permits users to select their own passwords, then the
236   threat is not only unauthorized access to documents on the server but
237   also unauthorized access to any other resources on other systems that
238   the user protects with the same password. Furthermore, in the
239   server's password database, many of the passwords may also be users'
240   passwords for other sites. The owner or administrator of such a
241   system could therefore expose all users of the system to the risk of
242   unauthorized access to all those sites if this information is not
243   maintained in a secure fashion.
244</t>
245<t>
246   Basic Authentication is also vulnerable to spoofing by counterfeit
247   servers. If a user can be led to believe that he is connecting to a
248   host containing information protected by Basic authentication when,
249   in fact, he is connecting to a hostile server or gateway, then the
250   attacker can request a password, store it for later use, and feign an
251   error. This type of attack is not possible with Digest
252   Authentication. Server implementers &SHOULD; guard against the
253   possibility of this sort of counterfeiting by gateways or CGI
254   scripts. In particular it is very dangerous for a server to simply
255   turn over a connection to a gateway.  That gateway can then use the
256   persistent connection mechanism to engage in multiple transactions
257   with the client while impersonating the original server in a way that
258   is not detectable by the client.
259</t>
260</section> 
261
262<section title="IANA Considerations" anchor="iana.considerations">
263<t>
264  IANA maintains the registry of HTTP Authentication Schemes (<xref target="draft-ietf-httpbis-p7-auth"/>)
265  at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
266</t>
267<t>
268  The entry for the "Basic" Authentication Scheme shall be updated with a pointer
269  to this specification. 
270</t>
271</section> 
272
273<section title="Acknowledgements">
274<t>
275  This specification takes over the definition of the "Basic" HTTP Authentication
276  Scheme, previously defined in RFC 2617. We thank John Franks,
277  Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence,
278  Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work on
279  that specification, from which significant amounts of text was borrowed.
280  See <xref target="RFC2617" x:fmt="of" x:sec="6"/> for further acknowledgements.
281</t>
282</section> 
283  </middle>
284  <back>
285 
286<references title="Normative References">
287 
288  <reference anchor="RFC2119">
289    <front>
290      <title abbrev="RFC Key Words">Key words for use in RFCs to Indicate Requirement Levels</title>
291      <author initials="S." surname="Bradner" fullname="Scott Bradner"/>
292      <date month="March" year="1997"/>
293    </front>
294    <seriesInfo name="BCP" value="14"/>
295    <seriesInfo name="RFC" value="2119"/>
296  </reference>
297
298  <reference anchor="RFC4648">
299    <front>
300      <title>The Base16, Base32, and Base64 Data Encodings</title>
301      <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
302      <date year="2006" month="October"/>
303    </front>
304    <seriesInfo value="4648" name="RFC"/>
305  </reference>
306 
307  <reference anchor="RFC5234">
308    <front>
309      <title abbrev="ABNF for Syntax Specifications">Augmented BNF for Syntax Specifications: ABNF</title>
310      <author initials="D." surname="Crocker" fullname="Dave Crocker" role="editor">
311        <organization>Brandenburg InternetWorking</organization>
312        <address>
313          <email>dcrocker@bbiw.net</email>
314        </address> 
315      </author>
316      <author initials="P." surname="Overell" fullname="Paul Overell">
317        <organization>THUS plc.</organization>
318        <address>
319          <email>paul.overell@thus.net</email>
320        </address>
321      </author>
322      <date month="January" year="2008"/>
323    </front>
324    <seriesInfo name="STD" value="68"/>
325    <seriesInfo name="RFC" value="5234"/>
326  </reference>
327
328  <reference anchor="draft-ietf-httpbis-p7-auth">
329    <front>
330      <title>Hypertext Transfer Protocol (HTTP/1.1): Authentication</title>
331      <author fullname="Roy T. Fielding" initials="R." role="editor" surname="Fielding"/>
332      <author fullname="Julian F. Reschke" initials="J. F." role="editor" surname="Reschke"/>
333      <date month="July" year="2013"/>
334    </front>
335    <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-p7-auth-23"/>
336  </reference>
337
338</references>
339
340<references title="Informative References"> 
341
342  <reference anchor="RFC2617">
343    <front>
344      <title abbrev="HTTP Authentication">HTTP Authentication: Basic and Digest Access Authentication</title>
345      <author initials="J." surname="Franks" fullname="John Franks"/>
346      <author initials="P.M." surname="Hallam-Baker" fullname="Phillip M. Hallam-Baker"/>
347      <author initials="J.L." surname="Hostetler" fullname="Jeffery L. Hostetler"/>
348      <author initials="S.D." surname="Lawrence" fullname="Scott D. Lawrence"/>
349      <author initials="P.J." surname="Leach" fullname="Paul J. Leach"/>
350      <author initials="A." surname="Luotonen" fullname="Ari Luotonen"/>
351      <author initials="L." surname="Stewart" fullname="Lawrence C. Stewart"/>
352      <date month="June" year="1999"/>
353    </front>
354    <seriesInfo name="RFC" value="2617"/>
355  </reference>
356
357  <reference anchor="RFC5246">
358     <front>
359        <title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
360        <author initials="T." surname="Dierks" fullname="T. Dierks"/>
361        <author initials="E." surname="Rescorla" fullname="E. Rescorla"/>
362        <date year="2008" month="August" />
363     </front>
364     <seriesInfo name="RFC" value="5246" />
365  </reference>
366
367  <reference anchor="draft-ietf-httpauth-digest-update">
368    <front>
369      <title>HTTP Digest Update</title>
370      <author initials="R." surname="Shekh-Yusef" fullname="Rifaat Shekh-Yusef"/>
371      <author initials="D." surname="Ahrens" fullname="David Ahrens"/>
372      <date month="September" day="2" year="2013"/>
373    </front>
374    <seriesInfo name="Internet-Draft" value="draft-ietf-httpauth-digest-update-05"/>
375  </reference>
376
377</references>
378
379<section title="Change Log (to be removed by RFC Editor before publication)" anchor="change.log">
380<section title="Since RFC 2617" anchor="changes.since.rfc2617">
381<t>
382  This draft acts as a baseline for tracking subsequent changes to the
383  specification. As such, it extracts the definition of "Basic", plus the related Security
384  Considerations, and also adds the IANA registration of the scheme.
385  Changes to the actual definition will be made in subsequent drafts.
386</t>
387</section>
388<section title="Since draft-ietf-httpauth-basicauth-update-00" anchor="changes.since.00">
389<t>
390  Fixed Base64 reference to point to an actual definition of Base64.
391</t>
392</section>
393</section>
394
395  </back>
396</rfc>
Note: See TracBrowser for help on using the repository browser.