source: draft-ietf-httpbis/diffs/draft-ietf-httpbis-p7-auth-26-from-25.diff.html @ 2650

Last change on this file since 2650 was 2616, checked in by julian.reschke@…, 7 years ago

prepare publication of -26

  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/html; charset=iso-8859-1
File size: 166.6 KB
Line 
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<!-- Generated by rfcdiff 1.38: rfcdiff  -->
3<!-- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional" > -->
4<html> 
5<head> 
6  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
7  <meta http-equiv="Content-Style-Type" content="text/css" />
8  <title>Diff: draft-ietf-httpbis-p7-auth-25.txt - draft-ietf-httpbis-p7-auth-26.txt</title>
9  <style type="text/css">
10    body    { margin: 0.4ex; margin-right: auto; }
11    tr      { }
12    td      { white-space: pre; font-family: monospace; vertical-align: top; font-size: 0.86em;}
13    th      { font-size: 0.86em; }
14    .small  { font-size: 0.6em; font-style: italic; font-family: Verdana, Helvetica, sans-serif; }
15    .left   { background-color: #EEE; }
16    .right  { background-color: #FFF; }
17    .diff   { background-color: #CCF; }
18    .lblock { background-color: #BFB; }
19    .rblock { background-color: #FF8; }
20    .insert { background-color: #8FF; }
21    .delete { background-color: #ACF; }
22    .void   { background-color: #FFB; }
23    .cont   { background-color: #EEE; }
24    .linebr { background-color: #AAA; }
25    .lineno { color: red; background-color: #FFF; font-size: 0.7em; text-align: right; padding: 0 2px; }
26    .elipsis{ background-color: #AAA; }
27    .left .cont { background-color: #DDD; }
28    .right .cont { background-color: #EEE; }
29    .lblock .cont { background-color: #9D9; }
30    .rblock .cont { background-color: #DD6; }
31    .insert .cont { background-color: #0DD; }
32    .delete .cont { background-color: #8AD; }
33    .stats, .stats td, .stats th { background-color: #EEE; padding: 2px 0; }
34  </style>
35</head>
36<body > 
37  <table border="0" cellpadding="0" cellspacing="0">
38  <tr bgcolor="orange"><th></th><th>&nbsp;draft-ietf-httpbis-p7-auth-25.txt&nbsp;</th><th> </th><th>&nbsp;draft-ietf-httpbis-p7-auth-26.txt&nbsp;</th><th></th></tr>
39      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
40      <tr><td class="lineno" valign="top"></td><td class="left">HTTPbis Working Group                                   R. Fielding, Ed.</td><td> </td><td class="right">HTTPbis Working Group                                   R. Fielding, Ed.</td><td class="lineno" valign="top"></td></tr>
41      <tr><td class="lineno" valign="top"></td><td class="left">Internet-Draft                                                     Adobe</td><td> </td><td class="right">Internet-Draft                                                     Adobe</td><td class="lineno" valign="top"></td></tr>
42      <tr><td class="lineno" valign="top"></td><td class="left">Obsoletes: 2616 (if approved)                            J. Reschke, Ed.</td><td> </td><td class="right">Obsoletes: 2616 (if approved)                            J. Reschke, Ed.</td><td class="lineno" valign="top"></td></tr>
43      <tr><td class="lineno" valign="top"></td><td class="left">Updates: 2617 (if approved)                                   greenbytes</td><td> </td><td class="right">Updates: 2617 (if approved)                                   greenbytes</td><td class="lineno" valign="top"></td></tr>
44      <tr><td><a name="diff0001" /></td></tr>
45      <tr><td class="lineno" valign="top"></td><td class="lblock">Intended status: Standards Track                       <span class="delete">November 17, 2013</span></td><td> </td><td class="rblock">Intended status: Standards Track                        <span class="insert">February 6, 2014</span></td><td class="lineno" valign="top"></td></tr>
46      <tr><td class="lineno" valign="top"></td><td class="lblock">Expires: <span class="delete">May 21,</span> 2014</td><td> </td><td class="rblock">Expires: <span class="insert">August 10,</span> 2014</td><td class="lineno" valign="top"></td></tr>
47      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
48      <tr><td class="lineno" valign="top"></td><td class="left">         Hypertext Transfer Protocol (HTTP/1.1): Authentication</td><td> </td><td class="right">         Hypertext Transfer Protocol (HTTP/1.1): Authentication</td><td class="lineno" valign="top"></td></tr>
49      <tr><td><a name="diff0002" /></td></tr>
50      <tr><td class="lineno" valign="top"></td><td class="lblock">                     draft-ietf-httpbis-p7-auth-2<span class="delete">5</span></td><td> </td><td class="rblock">                     draft-ietf-httpbis-p7-auth-2<span class="insert">6</span></td><td class="lineno" valign="top"></td></tr>
51      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
52      <tr><td class="lineno" valign="top"></td><td class="left">Abstract</td><td> </td><td class="right">Abstract</td><td class="lineno" valign="top"></td></tr>
53      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
54      <tr><td><a name="diff0003" /></td></tr>
55      <tr><td class="lineno" valign="top"></td><td class="lblock">   The Hypertext Transfer Protocol (HTTP) is <span class="delete">an application-level</span></td><td> </td><td class="rblock">   The Hypertext Transfer Protocol (HTTP) is <span class="insert">a stateless application-</span></td><td class="lineno" valign="top"></td></tr>
56      <tr><td class="lineno" valign="top"></td><td class="lblock">   protocol for distributed, collaborative, hypermedia information</td><td> </td><td class="rblock"><span class="insert">   level</span> protocol for distributed, collaborative, hypermedia information</td><td class="lineno" valign="top"></td></tr>
57      <tr><td class="lineno" valign="top"></td><td class="left">   systems.  This document defines the HTTP Authentication framework.</td><td> </td><td class="right">   systems.  This document defines the HTTP Authentication framework.</td><td class="lineno" valign="top"></td></tr>
58      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
59      <tr><td class="lineno" valign="top"></td><td class="left">Editorial Note (To be removed by RFC Editor)</td><td> </td><td class="right">Editorial Note (To be removed by RFC Editor)</td><td class="lineno" valign="top"></td></tr>
60      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
61      <tr><td class="lineno" valign="top"></td><td class="left">   Discussion of this draft takes place on the HTTPBIS working group</td><td> </td><td class="right">   Discussion of this draft takes place on the HTTPBIS working group</td><td class="lineno" valign="top"></td></tr>
62      <tr><td class="lineno" valign="top"></td><td class="left">   mailing list (ietf-http-wg@w3.org), which is archived at</td><td> </td><td class="right">   mailing list (ietf-http-wg@w3.org), which is archived at</td><td class="lineno" valign="top"></td></tr>
63      <tr><td class="lineno" valign="top"></td><td class="left">   &lt;http://lists.w3.org/Archives/Public/ietf-http-wg/&gt;.</td><td> </td><td class="right">   &lt;http://lists.w3.org/Archives/Public/ietf-http-wg/&gt;.</td><td class="lineno" valign="top"></td></tr>
64      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
65      <tr><td class="lineno" valign="top"></td><td class="left">   The current issues list is at</td><td> </td><td class="right">   The current issues list is at</td><td class="lineno" valign="top"></td></tr>
66      <tr><td class="lineno" valign="top"></td><td class="left">   &lt;http://tools.ietf.org/wg/httpbis/trac/report/3&gt; and related</td><td> </td><td class="right">   &lt;http://tools.ietf.org/wg/httpbis/trac/report/3&gt; and related</td><td class="lineno" valign="top"></td></tr>
67      <tr><td class="lineno" valign="top"></td><td class="left">   documents (including fancy diffs) can be found at</td><td> </td><td class="right">   documents (including fancy diffs) can be found at</td><td class="lineno" valign="top"></td></tr>
68      <tr><td class="lineno" valign="top"></td><td class="left">   &lt;http://tools.ietf.org/wg/httpbis/&gt;.</td><td> </td><td class="right">   &lt;http://tools.ietf.org/wg/httpbis/&gt;.</td><td class="lineno" valign="top"></td></tr>
69      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
70      <tr><td><a name="diff0004" /></td></tr>
71      <tr><td class="lineno" valign="top"></td><td class="lblock">   The changes in this draft are summarized in Appendix D.<span class="delete">1</span>.</td><td> </td><td class="rblock">   The changes in this draft are summarized in Appendix D.<span class="insert">2</span>.</td><td class="lineno" valign="top"></td></tr>
72      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
73      <tr><td class="lineno" valign="top"></td><td class="left">Status of This Memo</td><td> </td><td class="right">Status of This Memo</td><td class="lineno" valign="top"></td></tr>
74      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
75      <tr><td class="lineno" valign="top"></td><td class="left">   This Internet-Draft is submitted in full conformance with the</td><td> </td><td class="right">   This Internet-Draft is submitted in full conformance with the</td><td class="lineno" valign="top"></td></tr>
76      <tr><td class="lineno" valign="top"></td><td class="left">   provisions of BCP 78 and BCP 79.</td><td> </td><td class="right">   provisions of BCP 78 and BCP 79.</td><td class="lineno" valign="top"></td></tr>
77      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
78      <tr><td class="lineno" valign="top"></td><td class="left">   Internet-Drafts are working documents of the Internet Engineering</td><td> </td><td class="right">   Internet-Drafts are working documents of the Internet Engineering</td><td class="lineno" valign="top"></td></tr>
79      <tr><td class="lineno" valign="top"></td><td class="left">   Task Force (IETF).  Note that other groups may also distribute</td><td> </td><td class="right">   Task Force (IETF).  Note that other groups may also distribute</td><td class="lineno" valign="top"></td></tr>
80      <tr><td class="lineno" valign="top"></td><td class="left">   working documents as Internet-Drafts.  The list of current Internet-</td><td> </td><td class="right">   working documents as Internet-Drafts.  The list of current Internet-</td><td class="lineno" valign="top"></td></tr>
81      <tr><td class="lineno" valign="top"></td><td class="left">   Drafts is at http://datatracker.ietf.org/drafts/current/.</td><td> </td><td class="right">   Drafts is at http://datatracker.ietf.org/drafts/current/.</td><td class="lineno" valign="top"></td></tr>
82      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
83      <tr><td class="lineno" valign="top"></td><td class="left">   Internet-Drafts are draft documents valid for a maximum of six months</td><td> </td><td class="right">   Internet-Drafts are draft documents valid for a maximum of six months</td><td class="lineno" valign="top"></td></tr>
84      <tr><td class="lineno" valign="top"></td><td class="left">   and may be updated, replaced, or obsoleted by other documents at any</td><td> </td><td class="right">   and may be updated, replaced, or obsoleted by other documents at any</td><td class="lineno" valign="top"></td></tr>
85      <tr><td class="lineno" valign="top"></td><td class="left">   time.  It is inappropriate to use Internet-Drafts as reference</td><td> </td><td class="right">   time.  It is inappropriate to use Internet-Drafts as reference</td><td class="lineno" valign="top"></td></tr>
86      <tr><td class="lineno" valign="top"></td><td class="left">   material or to cite them other than as "work in progress."</td><td> </td><td class="right">   material or to cite them other than as "work in progress."</td><td class="lineno" valign="top"></td></tr>
87      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
88      <tr><td><a name="diff0005" /></td></tr>
89      <tr><td class="lineno" valign="top"></td><td class="lblock">   This Internet-Draft will expire on <span class="delete">May 21</span>, 2014.</td><td> </td><td class="rblock">   This Internet-Draft will expire on <span class="insert">August 10</span>, 2014.</td><td class="lineno" valign="top"></td></tr>
90      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
91      <tr><td class="lineno" valign="top"></td><td class="left">Copyright Notice</td><td> </td><td class="right">Copyright Notice</td><td class="lineno" valign="top"></td></tr>
92      <tr><td><a name="diff0006" /></td></tr>
93      <tr><td class="lineno" valign="top"></td><td class="lblock">   Copyright (c) 201<span class="delete">3</span> IETF Trust and the persons identified as the</td><td> </td><td class="rblock">   Copyright (c) 201<span class="insert">4</span> IETF Trust and the persons identified as the</td><td class="lineno" valign="top"></td></tr>
94      <tr><td class="lineno" valign="top"></td><td class="left">   document authors.  All rights reserved.</td><td> </td><td class="right">   document authors.  All rights reserved.</td><td class="lineno" valign="top"></td></tr>
95      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
96      <tr><td class="lineno" valign="top"></td><td class="left">   This document is subject to BCP 78 and the IETF Trust's Legal</td><td> </td><td class="right">   This document is subject to BCP 78 and the IETF Trust's Legal</td><td class="lineno" valign="top"></td></tr>
97      <tr><td class="lineno" valign="top"></td><td class="left">   Provisions Relating to IETF Documents</td><td> </td><td class="right">   Provisions Relating to IETF Documents</td><td class="lineno" valign="top"></td></tr>
98      <tr><td class="lineno" valign="top"></td><td class="left">   (http://trustee.ietf.org/license-info) in effect on the date of</td><td> </td><td class="right">   (http://trustee.ietf.org/license-info) in effect on the date of</td><td class="lineno" valign="top"></td></tr>
99      <tr><td class="lineno" valign="top"></td><td class="left">   publication of this document.  Please review these documents</td><td> </td><td class="right">   publication of this document.  Please review these documents</td><td class="lineno" valign="top"></td></tr>
100      <tr><td class="lineno" valign="top"></td><td class="left">   carefully, as they describe your rights and restrictions with respect</td><td> </td><td class="right">   carefully, as they describe your rights and restrictions with respect</td><td class="lineno" valign="top"></td></tr>
101      <tr><td class="lineno" valign="top"></td><td class="left">   to this document.  Code Components extracted from this document must</td><td> </td><td class="right">   to this document.  Code Components extracted from this document must</td><td class="lineno" valign="top"></td></tr>
102      <tr><td class="lineno" valign="top"></td><td class="left">   include Simplified BSD License text as described in Section 4.e of</td><td> </td><td class="right">   include Simplified BSD License text as described in Section 4.e of</td><td class="lineno" valign="top"></td></tr>
103      <tr><td class="lineno" valign="top"></td><td class="left">   the Trust Legal Provisions and are provided without warranty as</td><td> </td><td class="right">   the Trust Legal Provisions and are provided without warranty as</td><td class="lineno" valign="top"></td></tr>
104      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
105      <tr bgcolor="gray" ><td></td><th><a name="part-l2" /><small>skipping to change at</small><em> page 3, line 17</em></th><th> </th><th><a name="part-r2" /><small>skipping to change at</small><em> page 3, line 17</em></th><td></td></tr>
106      <tr><td class="lineno" valign="top"></td><td class="left">   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4</td><td> </td><td class="right">   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4</td><td class="lineno" valign="top"></td></tr>
107      <tr><td class="lineno" valign="top"></td><td class="left">     1.1.  Conformance and Error Handling . . . . . . . . . . . . . .  4</td><td> </td><td class="right">     1.1.  Conformance and Error Handling . . . . . . . . . . . . . .  4</td><td class="lineno" valign="top"></td></tr>
108      <tr><td class="lineno" valign="top"></td><td class="left">     1.2.  Syntax Notation  . . . . . . . . . . . . . . . . . . . . .  4</td><td> </td><td class="right">     1.2.  Syntax Notation  . . . . . . . . . . . . . . . . . . . . .  4</td><td class="lineno" valign="top"></td></tr>
109      <tr><td class="lineno" valign="top"></td><td class="left">   2.  Access Authentication Framework  . . . . . . . . . . . . . . .  4</td><td> </td><td class="right">   2.  Access Authentication Framework  . . . . . . . . . . . . . . .  4</td><td class="lineno" valign="top"></td></tr>
110      <tr><td class="lineno" valign="top"></td><td class="left">     2.1.  Challenge and Response . . . . . . . . . . . . . . . . . .  4</td><td> </td><td class="right">     2.1.  Challenge and Response . . . . . . . . . . . . . . . . . .  4</td><td class="lineno" valign="top"></td></tr>
111      <tr><td class="lineno" valign="top"></td><td class="left">     2.2.  Protection Space (Realm) . . . . . . . . . . . . . . . . .  6</td><td> </td><td class="right">     2.2.  Protection Space (Realm) . . . . . . . . . . . . . . . . .  6</td><td class="lineno" valign="top"></td></tr>
112      <tr><td class="lineno" valign="top"></td><td class="left">   3.  Status Code Definitions  . . . . . . . . . . . . . . . . . . .  7</td><td> </td><td class="right">   3.  Status Code Definitions  . . . . . . . . . . . . . . . . . . .  7</td><td class="lineno" valign="top"></td></tr>
113      <tr><td class="lineno" valign="top"></td><td class="left">     3.1.  401 Unauthorized . . . . . . . . . . . . . . . . . . . . .  7</td><td> </td><td class="right">     3.1.  401 Unauthorized . . . . . . . . . . . . . . . . . . . . .  7</td><td class="lineno" valign="top"></td></tr>
114      <tr><td class="lineno" valign="top"></td><td class="left">     3.2.  407 Proxy Authentication Required  . . . . . . . . . . . .  7</td><td> </td><td class="right">     3.2.  407 Proxy Authentication Required  . . . . . . . . . . . .  7</td><td class="lineno" valign="top"></td></tr>
115      <tr><td class="lineno" valign="top"></td><td class="left">   4.  Header Field Definitions . . . . . . . . . . . . . . . . . . .  7</td><td> </td><td class="right">   4.  Header Field Definitions . . . . . . . . . . . . . . . . . . .  7</td><td class="lineno" valign="top"></td></tr>
116      <tr><td><a name="diff0007" /></td></tr>
117      <tr><td class="lineno" valign="top"></td><td class="lblock">     4.1.  <span class="delete">Authorization  .</span> . . . . . . . . . . . . . . . . . . . . .  <span class="delete">7</span></td><td> </td><td class="rblock">     4.1.  <span class="insert">WWW-Authenticate</span> . . . . . . . . . . . . . . . . . . . . .  <span class="insert">8</span></td><td class="lineno" valign="top"></td></tr>
118      <tr><td class="lineno" valign="top"></td><td class="lblock">     4.2.  <span class="delete">Proxy-Authenticate</span> . . . . . . . . . . . . . . . . . . . .  8</td><td> </td><td class="rblock">     4.2.  <span class="insert">Authorization  . .</span> . . . . . . . . . . . . . . . . . . . .  8</td><td class="lineno" valign="top"></td></tr>
119      <tr><td class="lineno" valign="top"></td><td class="lblock">     4.3.  <span class="delete">Proxy-Authorization  .</span> . . . . . . . . . . . . . . . . . .  <span class="delete">8</span></td><td> </td><td class="rblock">     4.3.  <span class="insert">Proxy-Authenticate</span> . . . . . . . . . . . . . . . . . . . .  <span class="insert">9</span></td><td class="lineno" valign="top"></td></tr>
120      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">     4.4.  WWW-Authenticate</span> . . . . . . . . . . . . . . . . . . . . .  9</td><td> </td><td class="rblock"><span class="insert">     4.4.  Proxy-Authorization</span>  . . . . . . . . . . . . . . . . . . .  9</td><td class="lineno" valign="top"></td></tr>
121      <tr><td class="lineno" valign="top"></td><td class="left">   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right">   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
122      <tr><td class="lineno" valign="top"></td><td class="left">     5.1.  Authentication Scheme Registry . . . . . . . . . . . . . . 10</td><td> </td><td class="right">     5.1.  Authentication Scheme Registry . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
123      <tr><td class="lineno" valign="top"></td><td class="left">       5.1.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right">       5.1.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
124      <tr><td class="lineno" valign="top"></td><td class="left">       5.1.2.  Considerations for New Authentication Schemes  . . . . 10</td><td> </td><td class="right">       5.1.2.  Considerations for New Authentication Schemes  . . . . 10</td><td class="lineno" valign="top"></td></tr>
125      <tr><td><a name="diff0008" /></td></tr>
126      <tr><td class="lineno" valign="top"></td><td class="lblock">     5.2.  Status Code Registration . . . . . . . . . . . . . . . . . 1<span class="delete">1</span></td><td> </td><td class="rblock">     5.2.  Status Code Registration . . . . . . . . . . . . . . . . . 1<span class="insert">2</span></td><td class="lineno" valign="top"></td></tr>
127      <tr><td class="lineno" valign="top"></td><td class="left">     5.3.  Header Field Registration  . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right">     5.3.  Header Field Registration  . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
128      <tr><td class="lineno" valign="top"></td><td class="left">   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right">   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
129      <tr><td><a name="diff0009" /></td></tr>
130      <tr><td class="lineno" valign="top"></td><td class="lblock">     6.1.  Authentication Credentials and Idle Clients  . . . . . . . <span class="delete">12</span></td><td> </td><td class="rblock">     6.1.  <span class="insert">Confidentiality of Credentials . . . . . . . . . . . . . . 13</span></td><td class="lineno" valign="top"></td></tr>
131      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">     6.2.</span>  Protection Spaces  . . . . . . . . . . . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"><span class="insert">     6.2.</span>  Authentication Credentials and Idle Clients  . . . . . . . <span class="insert">13</span></td><td class="lineno" valign="top"></td></tr>
132      <tr><td class="lineno" valign="top"></td><td class="lblock">   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"><span class="insert">     6.3.</span>  Protection Spaces  . . . . . . . . . . . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
133      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
134      <tr><td class="lineno" valign="top"></td><td class="left">   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 14</td><td> </td><td class="right">   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 14</td><td class="lineno" valign="top"></td></tr>
135      <tr><td class="lineno" valign="top"></td><td class="left">     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 14</td><td> </td><td class="right">     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 14</td><td class="lineno" valign="top"></td></tr>
136      <tr><td><a name="diff0010" /></td></tr>
137      <tr><td class="lineno" valign="top"></td><td class="lblock">     8.2.  Informative References . . . . . . . . . . . . . . . . . . <span class="delete">14</span></td><td> </td><td class="rblock">     8.2.  Informative References . . . . . . . . . . . . . . . . . . <span class="insert">15</span></td><td class="lineno" valign="top"></td></tr>
138      <tr><td class="lineno" valign="top"></td><td class="lblock">   Appendix A.  Changes from RFCs 2616 and 2617 . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock">   Appendix A.  Changes from RFCs 2616 and 2617 . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
139      <tr><td class="lineno" valign="top"></td><td class="lblock">   Appendix B.  Imported ABNF . . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock">   Appendix B.  Imported ABNF . . . . . . . . . . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
140      <tr><td class="lineno" valign="top"></td><td class="lblock">   Appendix C.  Collected ABNF  . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock">   Appendix C.  Collected ABNF  . . . . . . . . . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
141      <tr><td class="lineno" valign="top"></td><td class="left">   Appendix D.  Change Log (to be removed by RFC Editor before</td><td> </td><td class="right">   Appendix D.  Change Log (to be removed by RFC Editor before</td><td class="lineno" valign="top"></td></tr>
142      <tr><td><a name="diff0011" /></td></tr>
143      <tr><td class="lineno" valign="top"></td><td class="lblock">                publication)  . . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock">                publication)  . . . . . . . . . . . . . . . . . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
144      <tr><td class="lineno" valign="top"></td><td class="lblock">     D.1.  Since draft-ietf-httpbis-p7-auth-24  . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock">     D.1.  Since draft-ietf-httpbis-p7-auth-24  . . . . . . . . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
145      <tr><td class="lineno" valign="top"></td><td class="lblock">   Index  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">17</span></td><td> </td><td class="rblock"><span class="insert">     D.2.  Since draft-ietf-httpbis-p7-auth-25  . . . . . . . . . . . 18</span></td><td class="lineno" valign="top"></td></tr>
146      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   Index  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
147      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
148      <tr><td class="lineno" valign="top"></td><td class="left">1.  Introduction</td><td> </td><td class="right">1.  Introduction</td><td class="lineno" valign="top"></td></tr>
149      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
150      <tr><td><a name="diff0012" /></td></tr>
151      <tr><td class="lineno" valign="top"></td><td class="lblock">   This document defines HTTP/1.1 <span class="delete">access control and authentication.  It</span></td><td> </td><td class="rblock">   <span class="insert">HTTP provides a general framework for access control and</span></td><td class="lineno" valign="top"></td></tr>
152      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   includes the relevant parts</span> of <span class="delete">RFC 2616 with only minor changes</span></td><td> </td><td class="rblock"><span class="insert">   authentication, via an extensible set of challenge-response</span></td><td class="lineno" valign="top"></td></tr>
153      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   ([RFC2616]), plus</span> the general framework <span class="delete">for HTTP authentication, as</span></td><td> </td><td class="rblock"><span class="insert">   authentication schemes, which can be used by a server to challenge a</span></td><td class="lineno" valign="top"></td></tr>
154      <tr><td class="lineno" valign="top"></td><td class="lblock">   previously <span class="delete">defined</span> in <span class="delete">"HTTP Authentication: Basic</span> and <span class="delete">Digest Access</span></td><td> </td><td class="rblock"><span class="insert">   client request and by a client to provide authentication information.</span></td><td class="lineno" valign="top"></td></tr>
155      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   Authentication" ([RFC2617]).</span></td><td> </td><td class="rblock">   This document defines HTTP/1.1 <span class="insert">authentication in terms</span> of <span class="insert">the</span></td><td class="lineno" valign="top"></td></tr>
156      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   architecture defined in [Part1], including</span> the general framework</td><td class="lineno" valign="top"></td></tr>
157      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   previously <span class="insert">described</span> in <span class="insert">RFC 2617 and the related fields</span> and <span class="insert">status</span></td><td class="lineno" valign="top"></td></tr>
158      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   codes previously defined in RFC 2616.</span></td><td class="lineno" valign="top"></td></tr>
159      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
160      <tr><td><a name="diff0013" /></td></tr>
161      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">HTTP provides several OPTIONAL challenge-response</span> authentication</td><td> </td><td class="rblock">   <span class="insert">The IANA Authentication Scheme Registry (Section 5.1) lists</span></td><td class="lineno" valign="top"></td></tr>
162      <tr><td class="lineno" valign="top"></td><td class="lblock">   schemes <span class="delete">that can be used by a server to challenge a client request</span></td><td> </td><td class="rblock"><span class="insert">   registered</span> authentication schemes and <span class="insert">their corresponding</span></td><td class="lineno" valign="top"></td></tr>
163      <tr><td class="lineno" valign="top"></td><td class="lblock">   and <span class="delete">by a client to provide authentication information.  The</span> "basic"</td><td> </td><td class="rblock"><span class="insert">   specifications, including the</span> "basic" and "digest" authentication</td><td class="lineno" valign="top"></td></tr>
164      <tr><td class="lineno" valign="top"></td><td class="lblock">   and "digest" authentication schemes <span class="delete">continue to be specified in</span> RFC</td><td> </td><td class="rblock">   schemes <span class="insert">previously defined by</span> RFC 2617.</td><td class="lineno" valign="top"></td></tr>
165      <tr><td class="lineno" valign="top"></td><td class="lblock">   2617.</td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
166      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
167      <tr><td class="lineno" valign="top"></td><td class="left">1.1.  Conformance and Error Handling</td><td> </td><td class="right">1.1.  Conformance and Error Handling</td><td class="lineno" valign="top"></td></tr>
168      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
169      <tr><td class="lineno" valign="top"></td><td class="left">   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",</td><td> </td><td class="right">   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",</td><td class="lineno" valign="top"></td></tr>
170      <tr><td class="lineno" valign="top"></td><td class="left">   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this</td><td> </td><td class="right">   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this</td><td class="lineno" valign="top"></td></tr>
171      <tr><td class="lineno" valign="top"></td><td class="left">   document are to be interpreted as described in [RFC2119].</td><td> </td><td class="right">   document are to be interpreted as described in [RFC2119].</td><td class="lineno" valign="top"></td></tr>
172      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
173      <tr><td class="lineno" valign="top"></td><td class="left">   Conformance criteria and considerations regarding error handling are</td><td> </td><td class="right">   Conformance criteria and considerations regarding error handling are</td><td class="lineno" valign="top"></td></tr>
174      <tr><td class="lineno" valign="top"></td><td class="left">   defined in Section 2.5 of [Part1].</td><td> </td><td class="right">   defined in Section 2.5 of [Part1].</td><td class="lineno" valign="top"></td></tr>
175      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
176      <tr><td class="lineno" valign="top"></td><td class="left">1.2.  Syntax Notation</td><td> </td><td class="right">1.2.  Syntax Notation</td><td class="lineno" valign="top"></td></tr>
177      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
178      <tr><td class="lineno" valign="top"></td><td class="left">   This specification uses the Augmented Backus-Naur Form (ABNF)</td><td> </td><td class="right">   This specification uses the Augmented Backus-Naur Form (ABNF)</td><td class="lineno" valign="top"></td></tr>
179      <tr><td><a name="diff0014" /></td></tr>
180      <tr><td class="lineno" valign="top"></td><td class="lblock">   notation of [RFC5234] with <span class="delete">the</span> list <span class="delete">rule extension</span> defined in Section</td><td> </td><td class="rblock">   notation of [RFC5234] with <span class="insert">a</span> list <span class="insert">extension,</span> defined in Section 7 of</td><td class="lineno" valign="top"></td></tr>
181      <tr><td class="lineno" valign="top"></td><td class="lblock">   7 of <span class="delete">[Part1].</span>  Appendix B describes rules imported from other</td><td> </td><td class="rblock">   <span class="insert">[Part1], that allows for compact definition of comma-separated lists</span></td><td class="lineno" valign="top"></td></tr>
182      <tr><td class="lineno" valign="top"></td><td class="lblock">   documents.  Appendix C shows the collected <span class="delete">ABNF</span> with <span class="delete">the</span> list <span class="delete">rule</span></td><td> </td><td class="rblock"><span class="insert">   using a '#' operator (similar to how the '*' operator indicates</span></td><td class="lineno" valign="top"></td></tr>
183      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   expanded.</span></td><td> </td><td class="rblock"><span class="insert">   repetition).</span>  Appendix B describes rules imported from other</td><td class="lineno" valign="top"></td></tr>
184      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   documents.  Appendix C shows the collected <span class="insert">grammar</span> with <span class="insert">all</span> list</td><td class="lineno" valign="top"></td></tr>
185      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   <span class="insert">operators expanded to standard ABNF notation.</span></td><td class="lineno" valign="top"></td></tr>
186      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
187      <tr><td class="lineno" valign="top"></td><td class="left">2.  Access Authentication Framework</td><td> </td><td class="right">2.  Access Authentication Framework</td><td class="lineno" valign="top"></td></tr>
188      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
189      <tr><td class="lineno" valign="top"></td><td class="left">2.1.  Challenge and Response</td><td> </td><td class="right">2.1.  Challenge and Response</td><td class="lineno" valign="top"></td></tr>
190      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
191      <tr><td class="lineno" valign="top"></td><td class="left">   HTTP provides a simple challenge-response authentication framework</td><td> </td><td class="right">   HTTP provides a simple challenge-response authentication framework</td><td class="lineno" valign="top"></td></tr>
192      <tr><td class="lineno" valign="top"></td><td class="left">   that can be used by a server to challenge a client request and by a</td><td> </td><td class="right">   that can be used by a server to challenge a client request and by a</td><td class="lineno" valign="top"></td></tr>
193      <tr><td class="lineno" valign="top"></td><td class="left">   client to provide authentication information.  It uses a case-</td><td> </td><td class="right">   client to provide authentication information.  It uses a case-</td><td class="lineno" valign="top"></td></tr>
194      <tr><td class="lineno" valign="top"></td><td class="left">   insensitive token as a means to identify the authentication scheme,</td><td> </td><td class="right">   insensitive token as a means to identify the authentication scheme,</td><td class="lineno" valign="top"></td></tr>
195      <tr><td class="lineno" valign="top"></td><td class="left">   followed by additional information necessary for achieving</td><td> </td><td class="right">   followed by additional information necessary for achieving</td><td class="lineno" valign="top"></td></tr>
196      <tr><td class="lineno" valign="top"></td><td class="left">   authentication via that scheme.  The latter can either be a comma-</td><td> </td><td class="right">   authentication via that scheme.  The latter can either be a comma-</td><td class="lineno" valign="top"></td></tr>
197      <tr><td class="lineno" valign="top"></td><td class="left">   separated list of parameters or a single sequence of characters</td><td> </td><td class="right">   separated list of parameters or a single sequence of characters</td><td class="lineno" valign="top"></td></tr>
198      <tr><td class="lineno" valign="top"></td><td class="left">   capable of holding base64-encoded information.</td><td> </td><td class="right">   capable of holding base64-encoded information.</td><td class="lineno" valign="top"></td></tr>
199      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
200      <tr><td><a name="diff0015" /></td></tr>
201      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">Parameters</span> are <span class="delete">name-value pairs</span> where the name is matched <span class="delete">case-</span></td><td> </td><td class="rblock">   <span class="insert">Authentication parameters</span> are <span class="insert">name=value pairs,</span> where the name <span class="insert">token</span></td><td class="lineno" valign="top"></td></tr>
202      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   insensitively,</span> and each parameter name MUST only occur once per</td><td> </td><td class="rblock">   is matched <span class="insert">case-insensitively,</span> and each parameter name MUST only</td><td class="lineno" valign="top"></td></tr>
203      <tr><td class="lineno" valign="top"></td><td class="lblock">   challenge.</td><td> </td><td class="rblock">   occur once per challenge.</td><td class="lineno" valign="top"></td></tr>
204      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
205      <tr><td class="lineno" valign="top"></td><td class="left">     auth-scheme    = token</td><td> </td><td class="right">     auth-scheme    = token</td><td class="lineno" valign="top"></td></tr>
206      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
207      <tr><td class="lineno" valign="top"></td><td class="left">     auth-param     = token BWS "=" BWS ( token / quoted-string )</td><td> </td><td class="right">     auth-param     = token BWS "=" BWS ( token / quoted-string )</td><td class="lineno" valign="top"></td></tr>
208      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
209      <tr><td class="lineno" valign="top"></td><td class="left">     token68        = 1*( ALPHA / DIGIT /</td><td> </td><td class="right">     token68        = 1*( ALPHA / DIGIT /</td><td class="lineno" valign="top"></td></tr>
210      <tr><td class="lineno" valign="top"></td><td class="left">                          "-" / "." / "_" / "~" / "+" / "/" ) *"="</td><td> </td><td class="right">                          "-" / "." / "_" / "~" / "+" / "/" ) *"="</td><td class="lineno" valign="top"></td></tr>
211      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
212      <tr><td class="lineno" valign="top"></td><td class="left">   The "token68" syntax allows the 66 unreserved URI characters</td><td> </td><td class="right">   The "token68" syntax allows the 66 unreserved URI characters</td><td class="lineno" valign="top"></td></tr>
213      <tr><td class="lineno" valign="top"></td><td class="left">   ([RFC3986]), plus a few others, so that it can hold a base64,</td><td> </td><td class="right">   ([RFC3986]), plus a few others, so that it can hold a base64,</td><td class="lineno" valign="top"></td></tr>
214      <tr><td class="lineno" valign="top"></td><td class="left">   base64url (URL and filename safe alphabet), base32, or base16 (hex)</td><td> </td><td class="right">   base64url (URL and filename safe alphabet), base32, or base16 (hex)</td><td class="lineno" valign="top"></td></tr>
215      <tr><td class="lineno" valign="top"></td><td class="left">   encoding, with or without padding, but excluding whitespace</td><td> </td><td class="right">   encoding, with or without padding, but excluding whitespace</td><td class="lineno" valign="top"></td></tr>
216      <tr><td class="lineno" valign="top"></td><td class="left">   ([RFC4648]).</td><td> </td><td class="right">   ([RFC4648]).</td><td class="lineno" valign="top"></td></tr>
217      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
218      <tr><td><a name="diff0016" /></td></tr>
219      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">The</span> 401 (Unauthorized) response message is used by an origin server</td><td> </td><td class="rblock">   <span class="insert">A</span> 401 (Unauthorized) response message is used by an origin server to</td><td class="lineno" valign="top"></td></tr>
220      <tr><td class="lineno" valign="top"></td><td class="lblock">   to challenge the authorization of a user <span class="delete">agent.  This response MUST</span></td><td> </td><td class="rblock">   challenge the authorization of a user <span class="insert">agent, including</span> a <span class="insert">WWW-</span></td><td class="lineno" valign="top"></td></tr>
221      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   include</span> a <span class="delete">WWW-Authenticate</span> header field containing at least one</td><td> </td><td class="rblock"><span class="insert">   Authenticate</span> header field containing at least one challenge</td><td class="lineno" valign="top"></td></tr>
222      <tr><td class="lineno" valign="top"></td><td class="lblock">   challenge applicable to the requested resource.</td><td> </td><td class="rblock">   applicable to the requested resource.</td><td class="lineno" valign="top"></td></tr>
223      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
224      <tr><td><a name="diff0017" /></td></tr>
225      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">The</span> 407 (Proxy Authentication Required) response message is used by a</td><td> </td><td class="rblock">   <span class="insert">A</span> 407 (Proxy Authentication Required) response message is used by a</td><td class="lineno" valign="top"></td></tr>
226      <tr><td class="lineno" valign="top"></td><td class="lblock">   proxy to challenge the authorization of a <span class="delete">client and MUST include</span> a</td><td> </td><td class="rblock">   proxy to challenge the authorization of a <span class="insert">client, including</span> a <span class="insert">Proxy-</span></td><td class="lineno" valign="top"></td></tr>
227      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">Proxy-Authenticate</span> header field containing at least one challenge</td><td> </td><td class="rblock"><span class="insert">   Authenticate</span> header field containing at least one challenge</td><td class="lineno" valign="top"></td></tr>
228      <tr><td class="lineno" valign="top"></td><td class="left">   applicable to the proxy for the requested resource.</td><td> </td><td class="right">   applicable to the proxy for the requested resource.</td><td class="lineno" valign="top"></td></tr>
229      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
230      <tr><td class="lineno" valign="top"></td><td class="left">     challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]</td><td> </td><td class="right">     challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]</td><td class="lineno" valign="top"></td></tr>
231      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
232      <tr><td><a name="diff0018" /></td></tr>
233      <tr><td class="lineno" valign="top"></td><td class="lblock">      Note: Many clients fail to parse <span class="delete">challenges containing</span> unknown</td><td> </td><td class="rblock">      Note: Many clients fail to parse <span class="insert">a challenge that contains an</span></td><td class="lineno" valign="top"></td></tr>
234      <tr><td class="lineno" valign="top"></td><td class="lblock">      <span class="delete">schemes.</span>  A workaround for this problem is to list <span class="delete">well-supported</span></td><td> </td><td class="rblock">      unknown <span class="insert">scheme.</span>  A workaround for this problem is to list <span class="insert">well-</span></td><td class="lineno" valign="top"></td></tr>
235      <tr><td class="lineno" valign="top"></td><td class="lblock">      schemes (such as "basic") first.</td><td> </td><td class="rblock"><span class="insert">      supported</span> schemes (such as "basic") first.</td><td class="lineno" valign="top"></td></tr>
236      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
237      <tr><td class="lineno" valign="top"></td><td class="left">   A user agent that wishes to authenticate itself with an origin server</td><td> </td><td class="right">   A user agent that wishes to authenticate itself with an origin server</td><td class="lineno" valign="top"></td></tr>
238      <tr><td class="lineno" valign="top"></td><td class="left">   -- usually, but not necessarily, after receiving a 401 (Unauthorized)</td><td> </td><td class="right">   -- usually, but not necessarily, after receiving a 401 (Unauthorized)</td><td class="lineno" valign="top"></td></tr>
239      <tr><td class="lineno" valign="top"></td><td class="left">   -- can do so by including an Authorization header field with the</td><td> </td><td class="right">   -- can do so by including an Authorization header field with the</td><td class="lineno" valign="top"></td></tr>
240      <tr><td class="lineno" valign="top"></td><td class="left">   request.</td><td> </td><td class="right">   request.</td><td class="lineno" valign="top"></td></tr>
241      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
242      <tr><td class="lineno" valign="top"></td><td class="left">   A client that wishes to authenticate itself with a proxy -- usually,</td><td> </td><td class="right">   A client that wishes to authenticate itself with a proxy -- usually,</td><td class="lineno" valign="top"></td></tr>
243      <tr><td class="lineno" valign="top"></td><td class="left">   but not necessarily, after receiving a 407 (Proxy Authentication</td><td> </td><td class="right">   but not necessarily, after receiving a 407 (Proxy Authentication</td><td class="lineno" valign="top"></td></tr>
244      <tr><td class="lineno" valign="top"></td><td class="left">   Required) -- can do so by including a Proxy-Authorization header</td><td> </td><td class="right">   Required) -- can do so by including a Proxy-Authorization header</td><td class="lineno" valign="top"></td></tr>
245      <tr><td class="lineno" valign="top"></td><td class="left">   field with the request.</td><td> </td><td class="right">   field with the request.</td><td class="lineno" valign="top"></td></tr>
246      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
247      <tr><td class="lineno" valign="top"></td><td class="left">   Both the Authorization field value and the Proxy-Authorization field</td><td> </td><td class="right">   Both the Authorization field value and the Proxy-Authorization field</td><td class="lineno" valign="top"></td></tr>
248      <tr><td class="lineno" valign="top"></td><td class="left">   value contain the client's credentials for the realm of the resource</td><td> </td><td class="right">   value contain the client's credentials for the realm of the resource</td><td class="lineno" valign="top"></td></tr>
249      <tr><td class="lineno" valign="top"></td><td class="left">   being requested, based upon a challenge received in a response</td><td> </td><td class="right">   being requested, based upon a challenge received in a response</td><td class="lineno" valign="top"></td></tr>
250      <tr><td class="lineno" valign="top"></td><td class="left">   (possibly at some point in the past).  When creating their values,</td><td> </td><td class="right">   (possibly at some point in the past).  When creating their values,</td><td class="lineno" valign="top"></td></tr>
251      <tr><td class="lineno" valign="top"></td><td class="left">   the user agent ought to do so by selecting the challenge with what it</td><td> </td><td class="right">   the user agent ought to do so by selecting the challenge with what it</td><td class="lineno" valign="top"></td></tr>
252      <tr><td class="lineno" valign="top"></td><td class="left">   considers to be the most secure auth-scheme that it understands,</td><td> </td><td class="right">   considers to be the most secure auth-scheme that it understands,</td><td class="lineno" valign="top"></td></tr>
253      <tr><td><a name="diff0019" /></td></tr>
254      <tr><td class="lineno" valign="top"></td><td class="lblock">   obtaining credentials from the user as appropriate.</td><td> </td><td class="rblock">   obtaining credentials from the user as appropriate.  <span class="insert">Transmission of</span></td><td class="lineno" valign="top"></td></tr>
255      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   credentials within header field values implies significant security</span></td><td class="lineno" valign="top"></td></tr>
256      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   considerations regarding the confidentiality of the underlying</span></td><td class="lineno" valign="top"></td></tr>
257      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   connection, as described in Section 6.1.</span></td><td class="lineno" valign="top"></td></tr>
258      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
259      <tr><td class="lineno" valign="top"></td><td class="left">     credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]</td><td> </td><td class="right">     credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]</td><td class="lineno" valign="top"></td></tr>
260      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
261      <tr><td class="lineno" valign="top"></td><td class="left">   Upon receipt of a request for a protected resource that omits</td><td> </td><td class="right">   Upon receipt of a request for a protected resource that omits</td><td class="lineno" valign="top"></td></tr>
262      <tr><td class="lineno" valign="top"></td><td class="left">   credentials, contains invalid credentials (e.g., a bad password) or</td><td> </td><td class="right">   credentials, contains invalid credentials (e.g., a bad password) or</td><td class="lineno" valign="top"></td></tr>
263      <tr><td class="lineno" valign="top"></td><td class="left">   partial credentials (e.g., when the authentication scheme requires</td><td> </td><td class="right">   partial credentials (e.g., when the authentication scheme requires</td><td class="lineno" valign="top"></td></tr>
264      <tr><td class="lineno" valign="top"></td><td class="left">   more than one round trip), an origin server SHOULD send a 401</td><td> </td><td class="right">   more than one round trip), an origin server SHOULD send a 401</td><td class="lineno" valign="top"></td></tr>
265      <tr><td class="lineno" valign="top"></td><td class="left">   (Unauthorized) response that contains a WWW-Authenticate header field</td><td> </td><td class="right">   (Unauthorized) response that contains a WWW-Authenticate header field</td><td class="lineno" valign="top"></td></tr>
266      <tr><td class="lineno" valign="top"></td><td class="left">   with at least one (possibly new) challenge applicable to the</td><td> </td><td class="right">   with at least one (possibly new) challenge applicable to the</td><td class="lineno" valign="top"></td></tr>
267      <tr><td class="lineno" valign="top"></td><td class="left">   requested resource.</td><td> </td><td class="right">   requested resource.</td><td class="lineno" valign="top"></td></tr>
268      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
269      <tr><td><a name="diff0020" /></td></tr>
270      <tr><td class="lineno" valign="top"></td><td class="lblock">   Likewise, upon receipt of a request that <span class="delete">requires authentication by</span></td><td> </td><td class="rblock">   Likewise, upon receipt of a request that <span class="insert">omits proxy</span> credentials or</td><td class="lineno" valign="top"></td></tr>
271      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   proxies that omit</span> credentials or <span class="delete">contain</span> invalid or partial</td><td> </td><td class="rblock">   <span class="insert">contains</span> invalid or partial <span class="insert">proxy</span> credentials, a proxy <span class="insert">that requires</span></td><td class="lineno" valign="top"></td></tr>
272      <tr><td class="lineno" valign="top"></td><td class="lblock">   credentials, a proxy SHOULD <span class="delete">send</span> a 407 (Proxy Authentication</td><td> </td><td class="rblock"><span class="insert">   authentication</span> SHOULD <span class="insert">generate</span> a 407 (Proxy Authentication Required)</td><td class="lineno" valign="top"></td></tr>
273      <tr><td class="lineno" valign="top"></td><td class="lblock">   Required) response that contains a Proxy-Authenticate header field</td><td> </td><td class="rblock">   response that contains a Proxy-Authenticate header field with <span class="insert">at</span></td><td class="lineno" valign="top"></td></tr>
274      <tr><td class="lineno" valign="top"></td><td class="lblock">   with <span class="delete">a</span> (possibly new) challenge applicable to the proxy.</td><td> </td><td class="rblock"><span class="insert">   least one</span> (possibly new) challenge applicable to the proxy.</td><td class="lineno" valign="top"></td></tr>
275      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
276      <tr><td><a name="diff0021" /></td></tr>
277      <tr><td class="lineno" valign="top"></td><td class="lblock">   A server <span class="delete">receiving credentials</span> that are <span class="delete">valid, but</span> not adequate to</td><td> </td><td class="rblock">   A server that <span class="insert">receives valid credentials which</span> are not adequate to</td><td class="lineno" valign="top"></td></tr>
278      <tr><td class="lineno" valign="top"></td><td class="lblock">   gain <span class="delete">access,</span> ought to respond with the 403 (Forbidden) status code</td><td> </td><td class="rblock">   gain <span class="insert">access</span> ought to respond with the 403 (Forbidden) status code</td><td class="lineno" valign="top"></td></tr>
279      <tr><td class="lineno" valign="top"></td><td class="left">   (Section 6.5.3 of [Part2]).</td><td> </td><td class="right">   (Section 6.5.3 of [Part2]).</td><td class="lineno" valign="top"></td></tr>
280      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
281      <tr><td class="lineno" valign="top"></td><td class="left">   HTTP does not restrict applications to this simple challenge-response</td><td> </td><td class="right">   HTTP does not restrict applications to this simple challenge-response</td><td class="lineno" valign="top"></td></tr>
282      <tr><td class="lineno" valign="top"></td><td class="left">   framework for access authentication.  Additional mechanisms can be</td><td> </td><td class="right">   framework for access authentication.  Additional mechanisms can be</td><td class="lineno" valign="top"></td></tr>
283      <tr><td class="lineno" valign="top"></td><td class="left">   used, such as authentication at the transport level or via message</td><td> </td><td class="right">   used, such as authentication at the transport level or via message</td><td class="lineno" valign="top"></td></tr>
284      <tr><td class="lineno" valign="top"></td><td class="left">   encapsulation, and with additional header fields specifying</td><td> </td><td class="right">   encapsulation, and with additional header fields specifying</td><td class="lineno" valign="top"></td></tr>
285      <tr><td class="lineno" valign="top"></td><td class="left">   authentication information.  However, such additional mechanisms are</td><td> </td><td class="right">   authentication information.  However, such additional mechanisms are</td><td class="lineno" valign="top"></td></tr>
286      <tr><td class="lineno" valign="top"></td><td class="left">   not defined by this specification.</td><td> </td><td class="right">   not defined by this specification.</td><td class="lineno" valign="top"></td></tr>
287      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
288      <tr><td><a name="diff0022" /></td></tr>
289      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">A proxy MUST forward the WWW-Authenticate and Authorization header</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
290      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   fields unmodified and follow the rules found in Section 4.1.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
291      <tr><td class="lineno" valign="top"></td><td class="lblock">                                                                         </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
292      <tr><td class="lineno" valign="top"></td><td class="left">2.2.  Protection Space (Realm)</td><td> </td><td class="right">2.2.  Protection Space (Realm)</td><td class="lineno" valign="top"></td></tr>
293      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
294      <tr><td><a name="diff0023" /></td></tr>
295      <tr><td class="lineno" valign="top"></td><td class="lblock">   The authentication parameter <span class="delete">realm</span> is reserved for use by</td><td> </td><td class="rblock">   The <span class="insert">"realm"</span> authentication parameter is reserved for use by</td><td class="lineno" valign="top"></td></tr>
296      <tr><td class="lineno" valign="top"></td><td class="lblock">   authentication schemes that wish to indicate <span class="delete">the</span> scope of protection.</td><td> </td><td class="rblock">   authentication schemes that wish to indicate <span class="insert">a</span> scope of protection.</td><td class="lineno" valign="top"></td></tr>
297      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
298      <tr><td class="lineno" valign="top"></td><td class="left">   A protection space is defined by the canonical root URI (the scheme</td><td> </td><td class="right">   A protection space is defined by the canonical root URI (the scheme</td><td class="lineno" valign="top"></td></tr>
299      <tr><td class="lineno" valign="top"></td><td class="left">   and authority components of the effective request URI; see Section</td><td> </td><td class="right">   and authority components of the effective request URI; see Section</td><td class="lineno" valign="top"></td></tr>
300      <tr><td class="lineno" valign="top"></td><td class="left">   5.5 of [Part1]) of the server being accessed, in combination with the</td><td> </td><td class="right">   5.5 of [Part1]) of the server being accessed, in combination with the</td><td class="lineno" valign="top"></td></tr>
301      <tr><td class="lineno" valign="top"></td><td class="left">   realm value if present.  These realms allow the protected resources</td><td> </td><td class="right">   realm value if present.  These realms allow the protected resources</td><td class="lineno" valign="top"></td></tr>
302      <tr><td class="lineno" valign="top"></td><td class="left">   on a server to be partitioned into a set of protection spaces, each</td><td> </td><td class="right">   on a server to be partitioned into a set of protection spaces, each</td><td class="lineno" valign="top"></td></tr>
303      <tr><td class="lineno" valign="top"></td><td class="left">   with its own authentication scheme and/or authorization database.</td><td> </td><td class="right">   with its own authentication scheme and/or authorization database.</td><td class="lineno" valign="top"></td></tr>
304      <tr><td class="lineno" valign="top"></td><td class="left">   The realm value is a string, generally assigned by the origin server,</td><td> </td><td class="right">   The realm value is a string, generally assigned by the origin server,</td><td class="lineno" valign="top"></td></tr>
305      <tr><td class="lineno" valign="top"></td><td class="left">   which can have additional semantics specific to the authentication</td><td> </td><td class="right">   which can have additional semantics specific to the authentication</td><td class="lineno" valign="top"></td></tr>
306      <tr><td class="lineno" valign="top"></td><td class="left">   scheme.  Note that a response can have multiple challenges with the</td><td> </td><td class="right">   scheme.  Note that a response can have multiple challenges with the</td><td class="lineno" valign="top"></td></tr>
307      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
308      <tr bgcolor="gray" ><td></td><th><a name="part-l3" /><small>skipping to change at</small><em> page 7, line 20</em></th><th> </th><th><a name="part-r3" /><small>skipping to change at</small><em> page 7, line 25</em></th><td></td></tr>
309      <tr><td class="lineno" valign="top"></td><td class="left">   syntax.  Recipients might have to support both token and quoted-</td><td> </td><td class="right">   syntax.  Recipients might have to support both token and quoted-</td><td class="lineno" valign="top"></td></tr>
310      <tr><td class="lineno" valign="top"></td><td class="left">   string syntax for maximum interoperability with existing clients that</td><td> </td><td class="right">   string syntax for maximum interoperability with existing clients that</td><td class="lineno" valign="top"></td></tr>
311      <tr><td class="lineno" valign="top"></td><td class="left">   have been accepting both notations for a long time.</td><td> </td><td class="right">   have been accepting both notations for a long time.</td><td class="lineno" valign="top"></td></tr>
312      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
313      <tr><td class="lineno" valign="top"></td><td class="left">3.  Status Code Definitions</td><td> </td><td class="right">3.  Status Code Definitions</td><td class="lineno" valign="top"></td></tr>
314      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
315      <tr><td class="lineno" valign="top"></td><td class="left">3.1.  401 Unauthorized</td><td> </td><td class="right">3.1.  401 Unauthorized</td><td class="lineno" valign="top"></td></tr>
316      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
317      <tr><td class="lineno" valign="top"></td><td class="left">   The 401 (Unauthorized) status code indicates that the request has not</td><td> </td><td class="right">   The 401 (Unauthorized) status code indicates that the request has not</td><td class="lineno" valign="top"></td></tr>
318      <tr><td class="lineno" valign="top"></td><td class="left">   been applied because it lacks valid authentication credentials for</td><td> </td><td class="right">   been applied because it lacks valid authentication credentials for</td><td class="lineno" valign="top"></td></tr>
319      <tr><td><a name="diff0024" /></td></tr>
320      <tr><td class="lineno" valign="top"></td><td class="lblock">   the target resource.  The <span class="delete">origin</span> server MUST send a WWW-Authenticate</td><td> </td><td class="rblock">   the target resource.  The server <span class="insert">generating a 401 response</span> MUST send</td><td class="lineno" valign="top"></td></tr>
321      <tr><td class="lineno" valign="top"></td><td class="lblock">   header field (Section <span class="delete">4.4)</span> containing at least one challenge</td><td> </td><td class="rblock">   a WWW-Authenticate header field (Section <span class="insert">4.1)</span> containing at least one</td><td class="lineno" valign="top"></td></tr>
322      <tr><td class="lineno" valign="top"></td><td class="lblock">   applicable to the target resource.  If the request included</td><td> </td><td class="rblock">   challenge applicable to the target resource.</td><td class="lineno" valign="top"></td></tr>
323      <tr><td class="lineno" valign="top"></td><td class="lblock">   authentication credentials, then the 401 response indicates that</td><td> </td><td class="rblock">                                                                         </td><td class="lineno" valign="top"></td></tr>
324      <tr><td class="lineno" valign="top"></td><td class="lblock">   authorization has been refused for those credentials.  The user agent</td><td> </td><td class="rblock">   If the request included authentication credentials, then the 401</td><td class="lineno" valign="top"></td></tr>
325      <tr><td class="lineno" valign="top"></td><td class="lblock">   MAY repeat the request with a new or replaced Authorization header</td><td> </td><td class="rblock">   response indicates that authorization has been refused for those</td><td class="lineno" valign="top"></td></tr>
326      <tr><td class="lineno" valign="top"></td><td class="lblock">   field (Section <span class="delete">4.1).</span>  If the 401 response contains the same challenge</td><td> </td><td class="rblock">   credentials.  The user agent MAY repeat the request with a new or</td><td class="lineno" valign="top"></td></tr>
327      <tr><td class="lineno" valign="top"></td><td class="lblock">   as the prior response, and the user agent has already attempted</td><td> </td><td class="rblock">   replaced Authorization header field (Section <span class="insert">4.2).</span>  If the 401</td><td class="lineno" valign="top"></td></tr>
328      <tr><td class="lineno" valign="top"></td><td class="lblock">   authentication at least once, then the user agent SHOULD present the</td><td> </td><td class="rblock">   response contains the same challenge as the prior response, and the</td><td class="lineno" valign="top"></td></tr>
329      <tr><td class="lineno" valign="top"></td><td class="lblock">   enclosed representation to the user, since it usually contains</td><td> </td><td class="rblock">   user agent has already attempted authentication at least once, then</td><td class="lineno" valign="top"></td></tr>
330      <tr><td class="lineno" valign="top"></td><td class="lblock">   relevant diagnostic information.</td><td> </td><td class="rblock">   the user agent SHOULD present the enclosed representation to the</td><td class="lineno" valign="top"></td></tr>
331      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   user, since it usually contains relevant diagnostic information.</td><td class="lineno" valign="top"></td></tr>
332      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
333      <tr><td class="lineno" valign="top"></td><td class="left">3.2.  407 Proxy Authentication Required</td><td> </td><td class="right">3.2.  407 Proxy Authentication Required</td><td class="lineno" valign="top"></td></tr>
334      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
335      <tr><td class="lineno" valign="top"></td><td class="left">   The 407 (Proxy Authentication Required) status code is similar to 401</td><td> </td><td class="right">   The 407 (Proxy Authentication Required) status code is similar to 401</td><td class="lineno" valign="top"></td></tr>
336      <tr><td class="lineno" valign="top"></td><td class="left">   (Unauthorized), but indicates that the client needs to authenticate</td><td> </td><td class="right">   (Unauthorized), but indicates that the client needs to authenticate</td><td class="lineno" valign="top"></td></tr>
337      <tr><td class="lineno" valign="top"></td><td class="left">   itself in order to use a proxy.  The proxy MUST send a Proxy-</td><td> </td><td class="right">   itself in order to use a proxy.  The proxy MUST send a Proxy-</td><td class="lineno" valign="top"></td></tr>
338      <tr><td><a name="diff0025" /></td></tr>
339      <tr><td class="lineno" valign="top"></td><td class="lblock">   Authenticate header field (Section 4.<span class="delete">2</span>) containing a challenge</td><td> </td><td class="rblock">   Authenticate header field (Section 4.<span class="insert">3</span>) containing a challenge</td><td class="lineno" valign="top"></td></tr>
340      <tr><td class="lineno" valign="top"></td><td class="left">   applicable to that proxy for the target resource.  The client MAY</td><td> </td><td class="right">   applicable to that proxy for the target resource.  The client MAY</td><td class="lineno" valign="top"></td></tr>
341      <tr><td class="lineno" valign="top"></td><td class="left">   repeat the request with a new or replaced Proxy-Authorization header</td><td> </td><td class="right">   repeat the request with a new or replaced Proxy-Authorization header</td><td class="lineno" valign="top"></td></tr>
342      <tr><td><a name="diff0026" /></td></tr>
343      <tr><td class="lineno" valign="top"></td><td class="lblock">   field (Section 4.<span class="delete">3</span>).</td><td> </td><td class="rblock">   field (Section 4.<span class="insert">4</span>).</td><td class="lineno" valign="top"></td></tr>
344      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
345      <tr><td class="lineno" valign="top"></td><td class="left">4.  Header Field Definitions</td><td> </td><td class="right">4.  Header Field Definitions</td><td class="lineno" valign="top"></td></tr>
346      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
347      <tr><td><a name="diff0027" /></td></tr>
348      <tr><td class="lineno" valign="top"></td><td class="lblock">   This section defines the syntax and semantics of <span class="delete">HTTP/1.1</span> header</td><td> </td><td class="rblock">   This section defines the syntax and semantics of header fields</td><td class="lineno" valign="top"></td></tr>
349      <tr><td class="lineno" valign="top"></td><td class="lblock">   fields related to <span class="delete">authentication.</span></td><td> </td><td class="rblock">   related to <span class="insert">the HTTP authentication framework.</span></td><td class="lineno" valign="top"></td></tr>
350      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
351      <tr><td><a name="diff0028" /></td></tr>
352      <tr><td class="lineno" valign="top"></td><td class="lblock">4.1.  Authorization</td><td> </td><td class="rblock">4.1.  <span class="insert">WWW-Authenticate</span></td><td class="lineno" valign="top"></td></tr>
353      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
354      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   The "WWW-Authenticate" header field indicates the authentication</span></td><td class="lineno" valign="top"></td></tr>
355      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   scheme(s) and parameters applicable to the target resource.</span></td><td class="lineno" valign="top"></td></tr>
356      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
357      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">     WWW-Authenticate = 1#challenge</span></td><td class="lineno" valign="top"></td></tr>
358      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
359      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   A server generating a 401 (Unauthorized) response MUST send a WWW-</span></td><td class="lineno" valign="top"></td></tr>
360      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   Authenticate header field containing at least one challenge.  A</span></td><td class="lineno" valign="top"></td></tr>
361      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   server MAY generate a WWW-Authenticate header field in other response</span></td><td class="lineno" valign="top"></td></tr>
362      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   messages to indicate that supplying credentials (or different</span></td><td class="lineno" valign="top"></td></tr>
363      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   credentials) might affect the response.</span></td><td class="lineno" valign="top"></td></tr>
364      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
365      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   A proxy forwarding a response MUST NOT modify any WWW-Authenticate</span></td><td class="lineno" valign="top"></td></tr>
366      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   fields in that response.</span></td><td class="lineno" valign="top"></td></tr>
367      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
368      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   User agents are advised to take special care in parsing the field</span></td><td class="lineno" valign="top"></td></tr>
369      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   value, as it might contain more than one challenge, and each</span></td><td class="lineno" valign="top"></td></tr>
370      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   challenge can contain a comma-separated list of authentication</span></td><td class="lineno" valign="top"></td></tr>
371      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   parameters.  Furthermore, the header field itself can occur multiple</span></td><td class="lineno" valign="top"></td></tr>
372      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   times.</span></td><td class="lineno" valign="top"></td></tr>
373      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
374      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   For instance:</span></td><td class="lineno" valign="top"></td></tr>
375      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
376      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">     WWW-Authenticate: Newauth realm="apps", type=1,</span></td><td class="lineno" valign="top"></td></tr>
377      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">                       title="Login to \"apps\"", Basic realm="simple"</span></td><td class="lineno" valign="top"></td></tr>
378      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
379      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   This header field contains two challenges; one for the "Newauth"</span></td><td class="lineno" valign="top"></td></tr>
380      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   scheme with a realm value of "apps", and two additional parameters</span></td><td class="lineno" valign="top"></td></tr>
381      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   "type" and "title", and another one for the "Basic" scheme with a</span></td><td class="lineno" valign="top"></td></tr>
382      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   realm value of "simple".</span></td><td class="lineno" valign="top"></td></tr>
383      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
384      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      Note: The challenge grammar production uses the list syntax as</span></td><td class="lineno" valign="top"></td></tr>
385      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      well.  Therefore, a sequence of comma, whitespace, and comma can</span></td><td class="lineno" valign="top"></td></tr>
386      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      be considered either as applying to the preceding challenge, or to</span></td><td class="lineno" valign="top"></td></tr>
387      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      be an empty entry in the list of challenges.  In practice, this</span></td><td class="lineno" valign="top"></td></tr>
388      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      ambiguity does not affect the semantics of the header field value</span></td><td class="lineno" valign="top"></td></tr>
389      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      and thus is harmless.</span></td><td class="lineno" valign="top"></td></tr>
390      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
391      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.2.</span>  Authorization</td><td class="lineno" valign="top"></td></tr>
392      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
393      <tr><td class="lineno" valign="top"></td><td class="left">   The "Authorization" header field allows a user agent to authenticate</td><td> </td><td class="right">   The "Authorization" header field allows a user agent to authenticate</td><td class="lineno" valign="top"></td></tr>
394      <tr><td class="lineno" valign="top"></td><td class="left">   itself with an origin server -- usually, but not necessarily, after</td><td> </td><td class="right">   itself with an origin server -- usually, but not necessarily, after</td><td class="lineno" valign="top"></td></tr>
395      <tr><td class="lineno" valign="top"></td><td class="left">   receiving a 401 (Unauthorized) response.  Its value consists of</td><td> </td><td class="right">   receiving a 401 (Unauthorized) response.  Its value consists of</td><td class="lineno" valign="top"></td></tr>
396      <tr><td class="lineno" valign="top"></td><td class="left">   credentials containing the authentication information of the user</td><td> </td><td class="right">   credentials containing the authentication information of the user</td><td class="lineno" valign="top"></td></tr>
397      <tr><td class="lineno" valign="top"></td><td class="left">   agent for the realm of the resource being requested.</td><td> </td><td class="right">   agent for the realm of the resource being requested.</td><td class="lineno" valign="top"></td></tr>
398      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
399      <tr><td class="lineno" valign="top"></td><td class="left">     Authorization = credentials</td><td> </td><td class="right">     Authorization = credentials</td><td class="lineno" valign="top"></td></tr>
400      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
401      <tr><td class="lineno" valign="top"></td><td class="left">   If a request is authenticated and a realm specified, the same</td><td> </td><td class="right">   If a request is authenticated and a realm specified, the same</td><td class="lineno" valign="top"></td></tr>
402      <tr><td class="lineno" valign="top"></td><td class="left">   credentials are presumed to be valid for all other requests within</td><td> </td><td class="right">   credentials are presumed to be valid for all other requests within</td><td class="lineno" valign="top"></td></tr>
403      <tr><td class="lineno" valign="top"></td><td class="left">   this realm (assuming that the authentication scheme itself does not</td><td> </td><td class="right">   this realm (assuming that the authentication scheme itself does not</td><td class="lineno" valign="top"></td></tr>
404      <tr><td class="lineno" valign="top"></td><td class="left">   require otherwise, such as credentials that vary according to a</td><td> </td><td class="right">   require otherwise, such as credentials that vary according to a</td><td class="lineno" valign="top"></td></tr>
405      <tr><td class="lineno" valign="top"></td><td class="left">   challenge value or using synchronized clocks).</td><td> </td><td class="right">   challenge value or using synchronized clocks).</td><td class="lineno" valign="top"></td></tr>
406      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
407      <tr><td><a name="diff0029" /></td></tr>
408      <tr><td class="lineno" valign="top"></td><td class="lblock">   See Section 3.2 of [Part6] for details of and requirements pertaining</td><td> </td><td class="rblock">   <span class="insert">A proxy forwarding a request MUST NOT modify any Authorization fields</span></td><td class="lineno" valign="top"></td></tr>
409      <tr><td class="lineno" valign="top"></td><td class="lblock">   to handling of the Authorization field by HTTP caches.</td><td> </td><td class="rblock"><span class="insert">   in that request.</span>  See Section 3.2 of [Part6] for details of and</td><td class="lineno" valign="top"></td></tr>
410      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   requirements pertaining to handling of the Authorization field by</td><td class="lineno" valign="top"></td></tr>
411      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   HTTP caches.</td><td class="lineno" valign="top"></td></tr>
412      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
413      <tr><td><a name="diff0030" /></td></tr>
414      <tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">2</span>.  Proxy-Authenticate</td><td> </td><td class="rblock">4.<span class="insert">3</span>.  Proxy-Authenticate</td><td class="lineno" valign="top"></td></tr>
415      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
416      <tr><td class="lineno" valign="top"></td><td class="left">   The "Proxy-Authenticate" header field consists of at least one</td><td> </td><td class="right">   The "Proxy-Authenticate" header field consists of at least one</td><td class="lineno" valign="top"></td></tr>
417      <tr><td class="lineno" valign="top"></td><td class="left">   challenge that indicates the authentication scheme(s) and parameters</td><td> </td><td class="right">   challenge that indicates the authentication scheme(s) and parameters</td><td class="lineno" valign="top"></td></tr>
418      <tr><td class="lineno" valign="top"></td><td class="left">   applicable to the proxy for this effective request URI (Section 5.5</td><td> </td><td class="right">   applicable to the proxy for this effective request URI (Section 5.5</td><td class="lineno" valign="top"></td></tr>
419      <tr><td><a name="diff0031" /></td></tr>
420      <tr><td class="lineno" valign="top"></td><td class="lblock">   of [Part1]).  <span class="delete">It</span> MUST <span class="delete">be included as part of a</span> 407 (Proxy</td><td> </td><td class="rblock">   of [Part1]).  <span class="insert">A proxy</span> MUST <span class="insert">send at least one Proxy-Authenticate</span></td><td class="lineno" valign="top"></td></tr>
421      <tr><td class="lineno" valign="top"></td><td class="lblock">   Authentication Required) <span class="delete">response.</span></td><td> </td><td class="rblock"><span class="insert">   header field in each</span> 407 (Proxy Authentication Required) <span class="insert">response</span></td><td class="lineno" valign="top"></td></tr>
422      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   that it generates.</span></td><td class="lineno" valign="top"></td></tr>
423      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
424      <tr><td class="lineno" valign="top"></td><td class="left">     Proxy-Authenticate = 1#challenge</td><td> </td><td class="right">     Proxy-Authenticate = 1#challenge</td><td class="lineno" valign="top"></td></tr>
425      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
426      <tr><td class="lineno" valign="top"></td><td class="left">   Unlike WWW-Authenticate, the Proxy-Authenticate header field applies</td><td> </td><td class="right">   Unlike WWW-Authenticate, the Proxy-Authenticate header field applies</td><td class="lineno" valign="top"></td></tr>
427      <tr><td><a name="diff0032" /></td></tr>
428      <tr><td class="lineno" valign="top"></td><td class="lblock">   only to the next outbound client on the response <span class="delete">chain that chose to</span></td><td> </td><td class="rblock">   only to the next outbound client on the response <span class="insert">chain.  This</span> is</td><td class="lineno" valign="top"></td></tr>
429      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   direct its request to the responding proxy.  If that recipient</span> is</td><td> </td><td class="rblock">   <span class="insert">because only</span> the <span class="insert">client that chose</span> a <span class="insert">given proxy is likely</span> to <span class="insert">have</span></td><td class="lineno" valign="top"></td></tr>
430      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">also a proxy, it will generally consume</span> the <span class="delete">Proxy-Authenticate header</span></td><td> </td><td class="rblock"><span class="insert">   the credentials necessary for authentication.</span>  However, <span class="insert">when multiple</span></td><td class="lineno" valign="top"></td></tr>
431      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   field (and generate an appropriate Proxy-Authorization in</span> a</td><td> </td><td class="rblock"><span class="insert">   proxies are used within the same administrative domain, such as</span></td><td class="lineno" valign="top"></td></tr>
432      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">subsequent request) rather than forward the header field</span> to <span class="delete">its own</span></td><td> </td><td class="rblock"><span class="insert">   office and regional caching proxies within</span> a <span class="insert">large corporate network,</span></td><td class="lineno" valign="top"></td></tr>
433      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   outbound clients.</span>  However, <span class="delete">if</span> a <span class="delete">recipient proxy needs to obtain its</span></td><td> </td><td class="rblock"><span class="insert">   it is common for</span> credentials <span class="insert">to be generated</span> by <span class="insert">the user agent and</span></td><td class="lineno" valign="top"></td></tr>
434      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   own</span> credentials by <span class="delete">requesting them from</span> a <span class="delete">further outbound client,</span> it</td><td> </td><td class="rblock"><span class="insert">   passed through the hierarchy until consumed.  Hence, in such</span> a</td><td class="lineno" valign="top"></td></tr>
435      <tr><td class="lineno" valign="top"></td><td class="lblock">   will <span class="delete">generate its own 407 response, which might have the appearance</span></td><td> </td><td class="rblock">   <span class="insert">configuration,</span> it will <span class="insert">appear as</span> if <span class="insert">Proxy-Authenticate is being</span></td><td class="lineno" valign="top"></td></tr>
436      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   of forwarding the Proxy-Authenticate header field</span> if <span class="delete">both proxies use</span></td><td> </td><td class="rblock"><span class="insert">   forwarded because each proxy will send</span> the same challenge set.</td><td class="lineno" valign="top"></td></tr>
437      <tr><td class="lineno" valign="top"></td><td class="lblock">   the same challenge set.</td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
438      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
439      <tr><td class="lineno" valign="top"></td><td class="left">   Note that the parsing considerations for WWW-Authenticate apply to</td><td> </td><td class="right">   Note that the parsing considerations for WWW-Authenticate apply to</td><td class="lineno" valign="top"></td></tr>
440      <tr><td><a name="diff0033" /></td></tr>
441      <tr><td class="lineno" valign="top"></td><td class="lblock">   this header field as well; see Section 4.<span class="delete">4</span> for details.</td><td> </td><td class="rblock">   this header field as well; see Section 4.<span class="insert">1</span> for details.</td><td class="lineno" valign="top"></td></tr>
442      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
443      <tr><td><a name="diff0034" /></td></tr>
444      <tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">3</span>.  Proxy-Authorization</td><td> </td><td class="rblock">4.<span class="insert">4</span>.  Proxy-Authorization</td><td class="lineno" valign="top"></td></tr>
445      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
446      <tr><td class="lineno" valign="top"></td><td class="left">   The "Proxy-Authorization" header field allows the client to identify</td><td> </td><td class="right">   The "Proxy-Authorization" header field allows the client to identify</td><td class="lineno" valign="top"></td></tr>
447      <tr><td class="lineno" valign="top"></td><td class="left">   itself (or its user) to a proxy that requires authentication.  Its</td><td> </td><td class="right">   itself (or its user) to a proxy that requires authentication.  Its</td><td class="lineno" valign="top"></td></tr>
448      <tr><td class="lineno" valign="top"></td><td class="left">   value consists of credentials containing the authentication</td><td> </td><td class="right">   value consists of credentials containing the authentication</td><td class="lineno" valign="top"></td></tr>
449      <tr><td class="lineno" valign="top"></td><td class="left">   information of the client for the proxy and/or realm of the resource</td><td> </td><td class="right">   information of the client for the proxy and/or realm of the resource</td><td class="lineno" valign="top"></td></tr>
450      <tr><td class="lineno" valign="top"></td><td class="left">   being requested.</td><td> </td><td class="right">   being requested.</td><td class="lineno" valign="top"></td></tr>
451      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
452      <tr><td class="lineno" valign="top"></td><td class="left">     Proxy-Authorization = credentials</td><td> </td><td class="right">     Proxy-Authorization = credentials</td><td class="lineno" valign="top"></td></tr>
453      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
454      <tr><td class="lineno" valign="top"></td><td class="left">   Unlike Authorization, the Proxy-Authorization header field applies</td><td> </td><td class="right">   Unlike Authorization, the Proxy-Authorization header field applies</td><td class="lineno" valign="top"></td></tr>
455      <tr><td class="lineno" valign="top"></td><td class="left">   only to the next inbound proxy that demanded authentication using the</td><td> </td><td class="right">   only to the next inbound proxy that demanded authentication using the</td><td class="lineno" valign="top"></td></tr>
456      <tr><td class="lineno" valign="top"></td><td class="left">   Proxy-Authenticate field.  When multiple proxies are used in a chain,</td><td> </td><td class="right">   Proxy-Authenticate field.  When multiple proxies are used in a chain,</td><td class="lineno" valign="top"></td></tr>
457      <tr><td class="lineno" valign="top"></td><td class="left">   the Proxy-Authorization header field is consumed by the first inbound</td><td> </td><td class="right">   the Proxy-Authorization header field is consumed by the first inbound</td><td class="lineno" valign="top"></td></tr>
458      <tr><td class="lineno" valign="top"></td><td class="left">   proxy that was expecting to receive credentials.  A proxy MAY relay</td><td> </td><td class="right">   proxy that was expecting to receive credentials.  A proxy MAY relay</td><td class="lineno" valign="top"></td></tr>
459      <tr><td class="lineno" valign="top"></td><td class="left">   the credentials from the client request to the next proxy if that is</td><td> </td><td class="right">   the credentials from the client request to the next proxy if that is</td><td class="lineno" valign="top"></td></tr>
460      <tr><td class="lineno" valign="top"></td><td class="left">   the mechanism by which the proxies cooperatively authenticate a given</td><td> </td><td class="right">   the mechanism by which the proxies cooperatively authenticate a given</td><td class="lineno" valign="top"></td></tr>
461      <tr><td class="lineno" valign="top"></td><td class="left">   request.</td><td> </td><td class="right">   request.</td><td class="lineno" valign="top"></td></tr>
462      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
463      <tr><td><a name="diff0035" /></td></tr>
464      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">4.4.  WWW-Authenticate</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
465      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
466      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   The "WWW-Authenticate" header field consists of at least one</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
467      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   challenge that indicates the authentication scheme(s) and parameters</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
468      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   applicable to the effective request URI (Section 5.5 of [Part1]).</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
469      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
470      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   It MUST be included in 401 (Unauthorized) response messages and MAY</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
471      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   be included in other response messages to indicate that supplying</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
472      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   credentials (or different credentials) might affect the response.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
473      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
474      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">     WWW-Authenticate = 1#challenge</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
475      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
476      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   User agents are advised to take special care in parsing the field</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
477      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   value, as it might contain more than one challenge, and each</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
478      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   challenge can contain a comma-separated list of authentication</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
479      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   parameters.  Furthermore, the header field itself can occur multiple</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
480      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   times.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
481      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
482      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   For instance:</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
483      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
484      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">     WWW-Authenticate: Newauth realm="apps", type=1,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
485      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">                       title="Login to \"apps\"", Basic realm="simple"</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
486      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
487      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   This header field contains two challenges; one for the "Newauth"</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
488      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   scheme with a realm value of "apps", and two additional parameters</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
489      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   "type" and "title", and another one for the "Basic" scheme with a</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
490      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   realm value of "simple".</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
491      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
492      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      Note: The challenge grammar production uses the list syntax as</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
493      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      well.  Therefore, a sequence of comma, whitespace, and comma can</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
494      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      be considered either as applying to the preceding challenge, or to</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
495      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      be an empty entry in the list of challenges.  In practice, this</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
496      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      ambiguity does not affect the semantics of the header field value</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
497      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      and thus is harmless.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
498      <tr><td class="lineno" valign="top"></td><td class="lblock">                                                                         </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
499      <tr><td class="lineno" valign="top"></td><td class="left">5.  IANA Considerations</td><td> </td><td class="right">5.  IANA Considerations</td><td class="lineno" valign="top"></td></tr>
500      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
501      <tr><td class="lineno" valign="top"></td><td class="left">5.1.  Authentication Scheme Registry</td><td> </td><td class="right">5.1.  Authentication Scheme Registry</td><td class="lineno" valign="top"></td></tr>
502      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
503      <tr><td class="lineno" valign="top"></td><td class="left">   The HTTP Authentication Scheme Registry defines the name space for</td><td> </td><td class="right">   The HTTP Authentication Scheme Registry defines the name space for</td><td class="lineno" valign="top"></td></tr>
504      <tr><td class="lineno" valign="top"></td><td class="left">   the authentication schemes in challenges and credentials.  It will be</td><td> </td><td class="right">   the authentication schemes in challenges and credentials.  It will be</td><td class="lineno" valign="top"></td></tr>
505      <tr><td class="lineno" valign="top"></td><td class="left">   created and maintained at (the suggested URI)</td><td> </td><td class="right">   created and maintained at (the suggested URI)</td><td class="lineno" valign="top"></td></tr>
506      <tr><td class="lineno" valign="top"></td><td class="left">   &lt;http://www.iana.org/assignments/http-authschemes&gt;.</td><td> </td><td class="right">   &lt;http://www.iana.org/assignments/http-authschemes&gt;.</td><td class="lineno" valign="top"></td></tr>
507      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
508      <tr><td class="lineno" valign="top"></td><td class="left">5.1.1.  Procedure</td><td> </td><td class="right">5.1.1.  Procedure</td><td class="lineno" valign="top"></td></tr>
509      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
510      <tr bgcolor="gray" ><td></td><th><a name="part-l4" /><small>skipping to change at</small><em> page 12, line 25</em></th><th> </th><th><a name="part-r4" /><small>skipping to change at</small><em> page 12, line 31</em></th><td></td></tr>
511      <tr><td class="lineno" valign="top"></td><td class="left">   Registry maintained at &lt;http://www.iana.org/assignments/</td><td> </td><td class="right">   Registry maintained at &lt;http://www.iana.org/assignments/</td><td class="lineno" valign="top"></td></tr>
512      <tr><td class="lineno" valign="top"></td><td class="left">   message-headers/message-header-index.html&gt;.</td><td> </td><td class="right">   message-headers/message-header-index.html&gt;.</td><td class="lineno" valign="top"></td></tr>
513      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
514      <tr><td class="lineno" valign="top"></td><td class="left">   This document defines the following HTTP header fields, so their</td><td> </td><td class="right">   This document defines the following HTTP header fields, so their</td><td class="lineno" valign="top"></td></tr>
515      <tr><td class="lineno" valign="top"></td><td class="left">   associated registry entries shall be updated according to the</td><td> </td><td class="right">   associated registry entries shall be updated according to the</td><td class="lineno" valign="top"></td></tr>
516      <tr><td class="lineno" valign="top"></td><td class="left">   permanent registrations below (see [BCP90]):</td><td> </td><td class="right">   permanent registrations below (see [BCP90]):</td><td class="lineno" valign="top"></td></tr>
517      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
518      <tr><td class="lineno" valign="top"></td><td class="left">   +---------------------+----------+----------+-------------+</td><td> </td><td class="right">   +---------------------+----------+----------+-------------+</td><td class="lineno" valign="top"></td></tr>
519      <tr><td class="lineno" valign="top"></td><td class="left">   | Header Field Name   | Protocol | Status   | Reference   |</td><td> </td><td class="right">   | Header Field Name   | Protocol | Status   | Reference   |</td><td class="lineno" valign="top"></td></tr>
520      <tr><td class="lineno" valign="top"></td><td class="left">   +---------------------+----------+----------+-------------+</td><td> </td><td class="right">   +---------------------+----------+----------+-------------+</td><td class="lineno" valign="top"></td></tr>
521      <tr><td><a name="diff0036" /></td></tr>
522      <tr><td class="lineno" valign="top"></td><td class="lblock">   | Authorization       | http     | standard | Section <span class="delete">4.1</span> |</td><td> </td><td class="rblock">   | Authorization       | http     | standard | Section <span class="insert">4.2</span> |</td><td class="lineno" valign="top"></td></tr>
523      <tr><td class="lineno" valign="top"></td><td class="lblock">   | Proxy-Authenticate  | http     | standard | Section <span class="delete">4.2</span> |</td><td> </td><td class="rblock">   | Proxy-Authenticate  | http     | standard | Section <span class="insert">4.3</span> |</td><td class="lineno" valign="top"></td></tr>
524      <tr><td class="lineno" valign="top"></td><td class="lblock">   | Proxy-Authorization | http     | standard | Section <span class="delete">4.3</span> |</td><td> </td><td class="rblock">   | Proxy-Authorization | http     | standard | Section <span class="insert">4.4</span> |</td><td class="lineno" valign="top"></td></tr>
525      <tr><td class="lineno" valign="top"></td><td class="lblock">   | WWW-Authenticate    | http     | standard | Section <span class="delete">4.4</span> |</td><td> </td><td class="rblock">   | WWW-Authenticate    | http     | standard | Section <span class="insert">4.1</span> |</td><td class="lineno" valign="top"></td></tr>
526      <tr><td class="lineno" valign="top"></td><td class="left">   +---------------------+----------+----------+-------------+</td><td> </td><td class="right">   +---------------------+----------+----------+-------------+</td><td class="lineno" valign="top"></td></tr>
527      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
528      <tr><td class="lineno" valign="top"></td><td class="left">   The change controller is: "IETF (iesg@ietf.org) - Internet</td><td> </td><td class="right">   The change controller is: "IETF (iesg@ietf.org) - Internet</td><td class="lineno" valign="top"></td></tr>
529      <tr><td class="lineno" valign="top"></td><td class="left">   Engineering Task Force".</td><td> </td><td class="right">   Engineering Task Force".</td><td class="lineno" valign="top"></td></tr>
530      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
531      <tr><td class="lineno" valign="top"></td><td class="left">6.  Security Considerations</td><td> </td><td class="right">6.  Security Considerations</td><td class="lineno" valign="top"></td></tr>
532      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
533      <tr><td class="lineno" valign="top"></td><td class="left">   This section is meant to inform developers, information providers,</td><td> </td><td class="right">   This section is meant to inform developers, information providers,</td><td class="lineno" valign="top"></td></tr>
534      <tr><td><a name="diff0037" /></td></tr>
535      <tr><td class="lineno" valign="top"></td><td class="lblock">   and users of known security concerns specific to <span class="delete">HTTP/1.1</span></td><td> </td><td class="rblock">   and users of known security concerns specific to <span class="insert">HTTP</span> authentication.</td><td class="lineno" valign="top"></td></tr>
536      <tr><td class="lineno" valign="top"></td><td class="lblock">   authentication.  More general security considerations are addressed</td><td> </td><td class="rblock">   More general security considerations are addressed in HTTP messaging</td><td class="lineno" valign="top"></td></tr>
537      <tr><td class="lineno" valign="top"></td><td class="lblock">   in HTTP messaging [Part1] and semantics [Part2].</td><td> </td><td class="rblock">   [Part1] and semantics [Part2].</td><td class="lineno" valign="top"></td></tr>
538      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
539      <tr><td><a name="diff0038" /></td></tr>
540      <tr><td class="lineno" valign="top"></td><td class="lblock">6.1.  Authentication Credentials and Idle Clients</td><td> </td><td class="rblock">   <span class="insert">Everything about the topic of HTTP authentication is a security</span></td><td class="lineno" valign="top"></td></tr>
541      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   consideration, so the list of considerations below is not exhaustive.</span></td><td class="lineno" valign="top"></td></tr>
542      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   Furthermore, it is limited to security considerations regarding the</span></td><td class="lineno" valign="top"></td></tr>
543      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   authentication framework, in general, rather than discussing all of</span></td><td class="lineno" valign="top"></td></tr>
544      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   the potential considerations for specific authentication schemes</span></td><td class="lineno" valign="top"></td></tr>
545      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   (which ought to be documented in the specifications that define those</span></td><td class="lineno" valign="top"></td></tr>
546      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   schemes).  Various organizations maintain topical information and</span></td><td class="lineno" valign="top"></td></tr>
547      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   links to current research on Web application security (e.g.,</span></td><td class="lineno" valign="top"></td></tr>
548      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   [OWASP]), including common pitfalls for implementing and using the</span></td><td class="lineno" valign="top"></td></tr>
549      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   authentication schemes found in practice.</span></td><td class="lineno" valign="top"></td></tr>
550      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                         </td><td class="lineno" valign="top"></td></tr>
551      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">6.1.  <span class="insert">Confidentiality of Credentials</span></td><td class="lineno" valign="top"></td></tr>
552      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
553      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   The HTTP authentication framework does not define a single mechanism</span></td><td class="lineno" valign="top"></td></tr>
554      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   for maintaining the confidentiality of credentials; instead, each</span></td><td class="lineno" valign="top"></td></tr>
555      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   authentication scheme defines how the credentials are encoded prior</span></td><td class="lineno" valign="top"></td></tr>
556      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   to transmission.  While this provides flexibility for the development</span></td><td class="lineno" valign="top"></td></tr>
557      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   of future authentication schemes, it is inadequate for the protection</span></td><td class="lineno" valign="top"></td></tr>
558      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   of existing schemes that provide no confidentiality on their own, or</span></td><td class="lineno" valign="top"></td></tr>
559      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   that do not sufficiently protect against replay attacks.</span></td><td class="lineno" valign="top"></td></tr>
560      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   Furthermore, if the server expects credentials that are specific to</span></td><td class="lineno" valign="top"></td></tr>
561      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   each individual user, the exchange of those credentials will have the</span></td><td class="lineno" valign="top"></td></tr>
562      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   effect of identifying that user even if the content within</span></td><td class="lineno" valign="top"></td></tr>
563      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   credentials remains confidential.</span></td><td class="lineno" valign="top"></td></tr>
564      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
565      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   HTTP depends on the security properties of the underlying transport</span></td><td class="lineno" valign="top"></td></tr>
566      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   or session-level connection to provide confidential transmission of</span></td><td class="lineno" valign="top"></td></tr>
567      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   header fields.  In other words, if a server limits access to</span></td><td class="lineno" valign="top"></td></tr>
568      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   authenticated users using this framework, the server needs to ensure</span></td><td class="lineno" valign="top"></td></tr>
569      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   that the connection is properly secured in accordance with the nature</span></td><td class="lineno" valign="top"></td></tr>
570      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   of the authentication scheme used.  For example, services that depend</span></td><td class="lineno" valign="top"></td></tr>
571      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   on individual user authentication often require a connection to be</span></td><td class="lineno" valign="top"></td></tr>
572      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   secured with TLS ("Transport Layer Security", [RFC5246]) prior to</span></td><td class="lineno" valign="top"></td></tr>
573      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   exchanging any credentials.</span></td><td class="lineno" valign="top"></td></tr>
574      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
575      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">6.2.</span>  Authentication Credentials and Idle Clients</td><td class="lineno" valign="top"></td></tr>
576      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
577      <tr><td class="lineno" valign="top"></td><td class="left">   Existing HTTP clients and user agents typically retain authentication</td><td> </td><td class="right">   Existing HTTP clients and user agents typically retain authentication</td><td class="lineno" valign="top"></td></tr>
578      <tr><td class="lineno" valign="top"></td><td class="left">   information indefinitely.  HTTP does not provide a mechanism for the</td><td> </td><td class="right">   information indefinitely.  HTTP does not provide a mechanism for the</td><td class="lineno" valign="top"></td></tr>
579      <tr><td class="lineno" valign="top"></td><td class="left">   origin server to direct clients to discard these cached credentials,</td><td> </td><td class="right">   origin server to direct clients to discard these cached credentials,</td><td class="lineno" valign="top"></td></tr>
580      <tr><td class="lineno" valign="top"></td><td class="left">   since the protocol has no awareness of how credentials are obtained</td><td> </td><td class="right">   since the protocol has no awareness of how credentials are obtained</td><td class="lineno" valign="top"></td></tr>
581      <tr><td class="lineno" valign="top"></td><td class="left">   or managed by the user agent.  The mechanisms for expiring or</td><td> </td><td class="right">   or managed by the user agent.  The mechanisms for expiring or</td><td class="lineno" valign="top"></td></tr>
582      <tr><td class="lineno" valign="top"></td><td class="left">   revoking credentials can be specified as part of an authentication</td><td> </td><td class="right">   revoking credentials can be specified as part of an authentication</td><td class="lineno" valign="top"></td></tr>
583      <tr><td class="lineno" valign="top"></td><td class="left">   scheme definition.</td><td> </td><td class="right">   scheme definition.</td><td class="lineno" valign="top"></td></tr>
584      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
585      <tr><td class="lineno" valign="top"></td><td class="left">   Circumstances under which credential caching can interfere with the</td><td> </td><td class="right">   Circumstances under which credential caching can interfere with the</td><td class="lineno" valign="top"></td></tr>
586      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
587      <tr bgcolor="gray" ><td></td><th><a name="part-l5" /><small>skipping to change at</small><em> page 13, line 18</em></th><th> </th><th><a name="part-r5" /><small>skipping to change at</small><em> page 14, line 11</em></th><td></td></tr>
588      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
589      <tr><td class="lineno" valign="top"></td><td class="left">   o  Applications that include a session termination indication (such</td><td> </td><td class="right">   o  Applications that include a session termination indication (such</td><td class="lineno" valign="top"></td></tr>
590      <tr><td class="lineno" valign="top"></td><td class="left">      as a "logout" or "commit" button on a page) after which the server</td><td> </td><td class="right">      as a "logout" or "commit" button on a page) after which the server</td><td class="lineno" valign="top"></td></tr>
591      <tr><td class="lineno" valign="top"></td><td class="left">      side of the application "knows" that there is no further reason</td><td> </td><td class="right">      side of the application "knows" that there is no further reason</td><td class="lineno" valign="top"></td></tr>
592      <tr><td class="lineno" valign="top"></td><td class="left">      for the client to retain the credentials.</td><td> </td><td class="right">      for the client to retain the credentials.</td><td class="lineno" valign="top"></td></tr>
593      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
594      <tr><td class="lineno" valign="top"></td><td class="left">   User agents that cache credentials are encouraged to provide a</td><td> </td><td class="right">   User agents that cache credentials are encouraged to provide a</td><td class="lineno" valign="top"></td></tr>
595      <tr><td class="lineno" valign="top"></td><td class="left">   readily accessible mechanism for discarding cached credentials under</td><td> </td><td class="right">   readily accessible mechanism for discarding cached credentials under</td><td class="lineno" valign="top"></td></tr>
596      <tr><td class="lineno" valign="top"></td><td class="left">   user control.</td><td> </td><td class="right">   user control.</td><td class="lineno" valign="top"></td></tr>
597      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
598      <tr><td><a name="diff0039" /></td></tr>
599      <tr><td class="lineno" valign="top"></td><td class="lblock">6.<span class="delete">2</span>.  Protection Spaces</td><td> </td><td class="rblock">6.<span class="insert">3</span>.  Protection Spaces</td><td class="lineno" valign="top"></td></tr>
600      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
601      <tr><td class="lineno" valign="top"></td><td class="left">   Authentication schemes that solely rely on the "realm" mechanism for</td><td> </td><td class="right">   Authentication schemes that solely rely on the "realm" mechanism for</td><td class="lineno" valign="top"></td></tr>
602      <tr><td class="lineno" valign="top"></td><td class="left">   establishing a protection space will expose credentials to all</td><td> </td><td class="right">   establishing a protection space will expose credentials to all</td><td class="lineno" valign="top"></td></tr>
603      <tr><td class="lineno" valign="top"></td><td class="left">   resources on an origin server.  Clients that have successfully made</td><td> </td><td class="right">   resources on an origin server.  Clients that have successfully made</td><td class="lineno" valign="top"></td></tr>
604      <tr><td class="lineno" valign="top"></td><td class="left">   authenticated requests with a resource can use the same</td><td> </td><td class="right">   authenticated requests with a resource can use the same</td><td class="lineno" valign="top"></td></tr>
605      <tr><td class="lineno" valign="top"></td><td class="left">   authentication credentials for other resources on the same origin</td><td> </td><td class="right">   authentication credentials for other resources on the same origin</td><td class="lineno" valign="top"></td></tr>
606      <tr><td class="lineno" valign="top"></td><td class="left">   server.  This makes it possible for a different resource to harvest</td><td> </td><td class="right">   server.  This makes it possible for a different resource to harvest</td><td class="lineno" valign="top"></td></tr>
607      <tr><td class="lineno" valign="top"></td><td class="left">   authentication credentials for other resources.</td><td> </td><td class="right">   authentication credentials for other resources.</td><td class="lineno" valign="top"></td></tr>
608      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
609      <tr><td class="lineno" valign="top"></td><td class="left">   This is of particular concern when an origin server hosts resources</td><td> </td><td class="right">   This is of particular concern when an origin server hosts resources</td><td class="lineno" valign="top"></td></tr>
610      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
611      <tr bgcolor="gray" ><td></td><th><a name="part-l6" /><small>skipping to change at</small><em> page 14, line 4</em></th><th> </th><th><a name="part-r6" /><small>skipping to change at</small><em> page 14, line 42</em></th><td></td></tr>
612      <tr><td class="lineno" valign="top"></td><td class="left">   Authentication Framework, previously defined in RFC 2617.  We thank</td><td> </td><td class="right">   Authentication Framework, previously defined in RFC 2617.  We thank</td><td class="lineno" valign="top"></td></tr>
613      <tr><td class="lineno" valign="top"></td><td class="left">   John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D.</td><td> </td><td class="right">   John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D.</td><td class="lineno" valign="top"></td></tr>
614      <tr><td class="lineno" valign="top"></td><td class="left">   Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for</td><td> </td><td class="right">   Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for</td><td class="lineno" valign="top"></td></tr>
615      <tr><td class="lineno" valign="top"></td><td class="left">   their work on that specification.  See Section 6 of [RFC2617] for</td><td> </td><td class="right">   their work on that specification.  See Section 6 of [RFC2617] for</td><td class="lineno" valign="top"></td></tr>
616      <tr><td class="lineno" valign="top"></td><td class="left">   further acknowledgements.</td><td> </td><td class="right">   further acknowledgements.</td><td class="lineno" valign="top"></td></tr>
617      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
618      <tr><td class="lineno" valign="top"></td><td class="left">   See Section 10 of [Part1] for the Acknowledgments related to this</td><td> </td><td class="right">   See Section 10 of [Part1] for the Acknowledgments related to this</td><td class="lineno" valign="top"></td></tr>
619      <tr><td class="lineno" valign="top"></td><td class="left">   document revision.</td><td> </td><td class="right">   document revision.</td><td class="lineno" valign="top"></td></tr>
620      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
621      <tr><td class="lineno" valign="top"></td><td class="left">8.  References</td><td> </td><td class="right">8.  References</td><td class="lineno" valign="top"></td></tr>
622      <tr><td><a name="diff0040" /></td></tr>
623      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">                                                                         </span></td><td class="lineno" valign="top"></td></tr>
624      <tr><td class="lineno" valign="top"></td><td class="left">8.1.  Normative References</td><td> </td><td class="right">8.1.  Normative References</td><td class="lineno" valign="top"></td></tr>
625      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
626      <tr><td class="lineno" valign="top"></td><td class="left">   [Part1]    Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td> </td><td class="right">   [Part1]    Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td class="lineno" valign="top"></td></tr>
627      <tr><td class="lineno" valign="top"></td><td class="left">              Protocol (HTTP/1.1): Message Syntax and Routing",</td><td> </td><td class="right">              Protocol (HTTP/1.1): Message Syntax and Routing",</td><td class="lineno" valign="top"></td></tr>
628      <tr><td><a name="diff0041" /></td></tr>
629      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">draft-ietf-httpbis-p1-messaging-25</span> (work in progress),</td><td> </td><td class="rblock">              <span class="insert">draft-ietf-httpbis-p1-messaging-26</span> (work in progress),</td><td class="lineno" valign="top"></td></tr>
630      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">November 2013.</span></td><td> </td><td class="rblock">              <span class="insert">February 2014.</span></td><td class="lineno" valign="top"></td></tr>
631      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
632      <tr><td class="lineno" valign="top"></td><td class="left">   [Part2]    Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td> </td><td class="right">   [Part2]    Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td class="lineno" valign="top"></td></tr>
633      <tr><td class="lineno" valign="top"></td><td class="left">              Protocol (HTTP/1.1): Semantics and Content",</td><td> </td><td class="right">              Protocol (HTTP/1.1): Semantics and Content",</td><td class="lineno" valign="top"></td></tr>
634      <tr><td><a name="diff0042" /></td></tr>
635      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">draft-ietf-httpbis-p2-semantics-25</span> (work in progress),</td><td> </td><td class="rblock">              <span class="insert">draft-ietf-httpbis-p2-semantics-26</span> (work in progress),</td><td class="lineno" valign="top"></td></tr>
636      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">November 2013.</span></td><td> </td><td class="rblock">              <span class="insert">February 2014.</span></td><td class="lineno" valign="top"></td></tr>
637      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
638      <tr><td class="lineno" valign="top"></td><td class="left">   [Part6]    Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,</td><td> </td><td class="right">   [Part6]    Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,</td><td class="lineno" valign="top"></td></tr>
639      <tr><td class="lineno" valign="top"></td><td class="left">              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",</td><td> </td><td class="right">              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",</td><td class="lineno" valign="top"></td></tr>
640      <tr><td><a name="diff0043" /></td></tr>
641      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">draft-ietf-httpbis-p6-cache-25</span> (work in progress),</td><td> </td><td class="rblock">              <span class="insert">draft-ietf-httpbis-p6-cache-26</span> (work in progress),</td><td class="lineno" valign="top"></td></tr>
642      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">November 2013.</span></td><td> </td><td class="rblock">              <span class="insert">February 2014.</span></td><td class="lineno" valign="top"></td></tr>
643      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
644      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate</td><td> </td><td class="right">   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate</td><td class="lineno" valign="top"></td></tr>
645      <tr><td class="lineno" valign="top"></td><td class="left">              Requirement Levels", BCP 14, RFC 2119, March 1997.</td><td> </td><td class="right">              Requirement Levels", BCP 14, RFC 2119, March 1997.</td><td class="lineno" valign="top"></td></tr>
646      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
647      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax</td><td> </td><td class="right">   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax</td><td class="lineno" valign="top"></td></tr>
648      <tr><td class="lineno" valign="top"></td><td class="left">              Specifications: ABNF", STD 68, RFC 5234, January 2008.</td><td> </td><td class="right">              Specifications: ABNF", STD 68, RFC 5234, January 2008.</td><td class="lineno" valign="top"></td></tr>
649      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
650      <tr><td class="lineno" valign="top"></td><td class="left">8.2.  Informative References</td><td> </td><td class="right">8.2.  Informative References</td><td class="lineno" valign="top"></td></tr>
651      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
652      <tr><td class="lineno" valign="top"></td><td class="left">   [BCP90]    Klyne, G., Nottingham, M., and J. Mogul, "Registration</td><td> </td><td class="right">   [BCP90]    Klyne, G., Nottingham, M., and J. Mogul, "Registration</td><td class="lineno" valign="top"></td></tr>
653      <tr><td class="lineno" valign="top"></td><td class="left">              Procedures for Message Header Fields", BCP 90, RFC 3864,</td><td> </td><td class="right">              Procedures for Message Header Fields", BCP 90, RFC 3864,</td><td class="lineno" valign="top"></td></tr>
654      <tr><td class="lineno" valign="top"></td><td class="left">              September 2004.</td><td> </td><td class="right">              September 2004.</td><td class="lineno" valign="top"></td></tr>
655      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
656      <tr><td><a name="diff0044" /></td></tr>
657      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   <span class="insert">[OWASP]    van der Stock, A., Ed., "A Guide to Building Secure Web</span></td><td class="lineno" valign="top"></td></tr>
658      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">              Applications and Web Services", The Open Web Application</span></td><td class="lineno" valign="top"></td></tr>
659      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">              Security Project (OWASP) 2.0.1, July 2005,</span></td><td class="lineno" valign="top"></td></tr>
660      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">              &lt;https://www.owasp.org/&gt;.</span></td><td class="lineno" valign="top"></td></tr>
661      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                         </td><td class="lineno" valign="top"></td></tr>
662      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,</td><td> </td><td class="right">   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,</td><td class="lineno" valign="top"></td></tr>
663      <tr><td class="lineno" valign="top"></td><td class="left">              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext</td><td> </td><td class="right">              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext</td><td class="lineno" valign="top"></td></tr>
664      <tr><td class="lineno" valign="top"></td><td class="left">              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.</td><td> </td><td class="right">              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.</td><td class="lineno" valign="top"></td></tr>
665      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
666      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC2617]  Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,</td><td> </td><td class="right">   [RFC2617]  Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,</td><td class="lineno" valign="top"></td></tr>
667      <tr><td class="lineno" valign="top"></td><td class="left">              Leach, P., Luotonen, A., and L. Stewart, "HTTP</td><td> </td><td class="right">              Leach, P., Luotonen, A., and L. Stewart, "HTTP</td><td class="lineno" valign="top"></td></tr>
668      <tr><td class="lineno" valign="top"></td><td class="left">              Authentication: Basic and Digest Access Authentication",</td><td> </td><td class="right">              Authentication: Basic and Digest Access Authentication",</td><td class="lineno" valign="top"></td></tr>
669      <tr><td class="lineno" valign="top"></td><td class="left">              RFC 2617, June 1999.</td><td> </td><td class="right">              RFC 2617, June 1999.</td><td class="lineno" valign="top"></td></tr>
670      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
671      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform</td><td> </td><td class="right">   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform</td><td class="lineno" valign="top"></td></tr>
672      <tr><td class="lineno" valign="top"></td><td class="left">              Resource Identifier (URI): Generic Syntax", STD 66,</td><td> </td><td class="right">              Resource Identifier (URI): Generic Syntax", STD 66,</td><td class="lineno" valign="top"></td></tr>
673      <tr><td class="lineno" valign="top"></td><td class="left">              RFC 3986, January 2005.</td><td> </td><td class="right">              RFC 3986, January 2005.</td><td class="lineno" valign="top"></td></tr>
674      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
675      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data</td><td> </td><td class="right">   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data</td><td class="lineno" valign="top"></td></tr>
676      <tr><td class="lineno" valign="top"></td><td class="left">              Encodings", RFC 4648, October 2006.</td><td> </td><td class="right">              Encodings", RFC 4648, October 2006.</td><td class="lineno" valign="top"></td></tr>
677      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
678      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an</td><td> </td><td class="right">   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an</td><td class="lineno" valign="top"></td></tr>
679      <tr><td class="lineno" valign="top"></td><td class="left">              IANA Considerations Section in RFCs", BCP 26, RFC 5226,</td><td> </td><td class="right">              IANA Considerations Section in RFCs", BCP 26, RFC 5226,</td><td class="lineno" valign="top"></td></tr>
680      <tr><td class="lineno" valign="top"></td><td class="left">              May 2008.</td><td> </td><td class="right">              May 2008.</td><td class="lineno" valign="top"></td></tr>
681      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
682      <tr><td><a name="diff0045" /></td></tr>
683      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">   <span class="insert">[RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security</span></td><td class="lineno" valign="top"></td></tr>
684      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">              (TLS) Protocol Version 1.2", RFC 5246, August 2008.</span></td><td class="lineno" valign="top"></td></tr>
685      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                         </td><td class="lineno" valign="top"></td></tr>
686      <tr><td class="lineno" valign="top"></td><td class="left">Appendix A.  Changes from RFCs 2616 and 2617</td><td> </td><td class="right">Appendix A.  Changes from RFCs 2616 and 2617</td><td class="lineno" valign="top"></td></tr>
687      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
688      <tr><td class="lineno" valign="top"></td><td class="left">   The framework for HTTP Authentication is now defined by this</td><td> </td><td class="right">   The framework for HTTP Authentication is now defined by this</td><td class="lineno" valign="top"></td></tr>
689      <tr><td class="lineno" valign="top"></td><td class="left">   document, rather than RFC 2617.</td><td> </td><td class="right">   document, rather than RFC 2617.</td><td class="lineno" valign="top"></td></tr>
690      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
691      <tr><td class="lineno" valign="top"></td><td class="left">   The "realm" parameter is no longer always required on challenges;</td><td> </td><td class="right">   The "realm" parameter is no longer always required on challenges;</td><td class="lineno" valign="top"></td></tr>
692      <tr><td class="lineno" valign="top"></td><td class="left">   consequently, the ABNF allows challenges without any auth parameters.</td><td> </td><td class="right">   consequently, the ABNF allows challenges without any auth parameters.</td><td class="lineno" valign="top"></td></tr>
693      <tr><td class="lineno" valign="top"></td><td class="left">   (Section 2)</td><td> </td><td class="right">   (Section 2)</td><td class="lineno" valign="top"></td></tr>
694      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
695      <tr><td class="lineno" valign="top"></td><td class="left">   The "token68" alternative to auth-param lists has been added for</td><td> </td><td class="right">   The "token68" alternative to auth-param lists has been added for</td><td class="lineno" valign="top"></td></tr>
696      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
697      <tr bgcolor="gray" ><td></td><th><a name="part-l7" /><small>skipping to change at</small><em> page 17, line 5</em></th><th> </th><th><a name="part-r7" /><small>skipping to change at</small><em> page 18, line 5</em></th><td></td></tr>
698      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
699      <tr><td class="lineno" valign="top"></td><td class="left">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/510&gt;: "SECDIR review</td><td> </td><td class="right">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/510&gt;: "SECDIR review</td><td class="lineno" valign="top"></td></tr>
700      <tr><td class="lineno" valign="top"></td><td class="left">      of draft-ietf-httpbis-p7-auth-24"</td><td> </td><td class="right">      of draft-ietf-httpbis-p7-auth-24"</td><td class="lineno" valign="top"></td></tr>
701      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
702      <tr><td class="lineno" valign="top"></td><td class="left">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/513&gt;: "APPSDIR</td><td> </td><td class="right">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/513&gt;: "APPSDIR</td><td class="lineno" valign="top"></td></tr>
703      <tr><td class="lineno" valign="top"></td><td class="left">      review of draft-ietf-httpbis-p7-auth-24"</td><td> </td><td class="right">      review of draft-ietf-httpbis-p7-auth-24"</td><td class="lineno" valign="top"></td></tr>
704      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
705      <tr><td class="lineno" valign="top"></td><td class="left">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/516&gt;: "note about</td><td> </td><td class="right">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/516&gt;: "note about</td><td class="lineno" valign="top"></td></tr>
706      <tr><td class="lineno" valign="top"></td><td class="left">      WWW-A parsing potentially misleading"</td><td> </td><td class="right">      WWW-A parsing potentially misleading"</td><td class="lineno" valign="top"></td></tr>
707      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
708      <tr><td><a name="diff0046" /></td></tr>
709      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">D.2.  Since draft-ietf-httpbis-p7-auth-25</span></td><td class="lineno" valign="top"></td></tr>
710      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
711      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   Closed issues:</span></td><td class="lineno" valign="top"></td></tr>
712      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
713      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/522&gt;: "Gen-art</span></td><td class="lineno" valign="top"></td></tr>
714      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      review of draft-ietf-httpbis-p7-auth-25"</span></td><td class="lineno" valign="top"></td></tr>
715      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
716      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/536&gt;: "IESG ballot</span></td><td class="lineno" valign="top"></td></tr>
717      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      on draft-ietf-httpbis-p7-auth-25"</span></td><td class="lineno" valign="top"></td></tr>
718      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
719      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/538&gt;: "add</span></td><td class="lineno" valign="top"></td></tr>
720      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      'stateless' to Abstract"</span></td><td class="lineno" valign="top"></td></tr>
721      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
722      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/539&gt;: "mention TLS</span></td><td class="lineno" valign="top"></td></tr>
723      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      vs plain text passwords or dict attacks?"</span></td><td class="lineno" valign="top"></td></tr>
724      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
725      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/542&gt;: "improve</span></td><td class="lineno" valign="top"></td></tr>
726      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      introduction of list rule"</span></td><td class="lineno" valign="top"></td></tr>
727      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
728      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   o  &lt;http://tools.ietf.org/wg/httpbis/trac/ticket/549&gt;: "augment</span></td><td class="lineno" valign="top"></td></tr>
729      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">      security considerations with pointers to current research"</span></td><td class="lineno" valign="top"></td></tr>
730      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                         </td><td class="lineno" valign="top"></td></tr>
731      <tr><td class="lineno" valign="top"></td><td class="left">Index</td><td> </td><td class="right">Index</td><td class="lineno" valign="top"></td></tr>
732      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
733      <tr><td class="lineno" valign="top"></td><td class="left">   4</td><td> </td><td class="right">   4</td><td class="lineno" valign="top"></td></tr>
734      <tr><td class="lineno" valign="top"></td><td class="left">      401 Unauthorized (status code)  7</td><td> </td><td class="right">      401 Unauthorized (status code)  7</td><td class="lineno" valign="top"></td></tr>
735      <tr><td class="lineno" valign="top"></td><td class="left">      407 Proxy Authentication Required (status code)  7</td><td> </td><td class="right">      407 Proxy Authentication Required (status code)  7</td><td class="lineno" valign="top"></td></tr>
736      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
737      <tr><td class="lineno" valign="top"></td><td class="left">   A</td><td> </td><td class="right">   A</td><td class="lineno" valign="top"></td></tr>
738      <tr><td><a name="diff0047" /></td></tr>
739      <tr><td class="lineno" valign="top"></td><td class="lblock">      Authorization header field  <span class="delete">7</span></td><td> </td><td class="rblock">      Authorization header field  <span class="insert">8</span></td><td class="lineno" valign="top"></td></tr>
740      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
741      <tr><td class="lineno" valign="top"></td><td class="left">   C</td><td> </td><td class="right">   C</td><td class="lineno" valign="top"></td></tr>
742      <tr><td class="lineno" valign="top"></td><td class="left">      Canonical Root URI  6</td><td> </td><td class="right">      Canonical Root URI  6</td><td class="lineno" valign="top"></td></tr>
743      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
744      <tr><td class="lineno" valign="top"></td><td class="left">   G</td><td> </td><td class="right">   G</td><td class="lineno" valign="top"></td></tr>
745      <tr><td class="lineno" valign="top"></td><td class="left">      Grammar</td><td> </td><td class="right">      Grammar</td><td class="lineno" valign="top"></td></tr>
746      <tr><td class="lineno" valign="top"></td><td class="left">         auth-param  5</td><td> </td><td class="right">         auth-param  5</td><td class="lineno" valign="top"></td></tr>
747      <tr><td class="lineno" valign="top"></td><td class="left">         auth-scheme  5</td><td> </td><td class="right">         auth-scheme  5</td><td class="lineno" valign="top"></td></tr>
748      <tr><td class="lineno" valign="top"></td><td class="left">         Authorization  8</td><td> </td><td class="right">         Authorization  8</td><td class="lineno" valign="top"></td></tr>
749      <tr><td class="lineno" valign="top"></td><td class="left">         challenge  5</td><td> </td><td class="right">         challenge  5</td><td class="lineno" valign="top"></td></tr>
750      <tr><td><a name="diff0048" /></td></tr>
751      <tr><td class="lineno" valign="top"></td><td class="lblock">         credentials  <span class="delete">5</span></td><td> </td><td class="rblock">         credentials  <span class="insert">6</span></td><td class="lineno" valign="top"></td></tr>
752      <tr><td class="lineno" valign="top"></td><td class="lblock">         Proxy-Authenticate  <span class="delete">8</span></td><td> </td><td class="rblock">         Proxy-Authenticate  <span class="insert">9</span></td><td class="lineno" valign="top"></td></tr>
753      <tr><td class="lineno" valign="top"></td><td class="lblock">         Proxy-Authorization  <span class="delete">8</span></td><td> </td><td class="rblock">         Proxy-Authorization  <span class="insert">9</span></td><td class="lineno" valign="top"></td></tr>
754      <tr><td class="lineno" valign="top"></td><td class="left">         token68  5</td><td> </td><td class="right">         token68  5</td><td class="lineno" valign="top"></td></tr>
755      <tr><td><a name="diff0049" /></td></tr>
756      <tr><td class="lineno" valign="top"></td><td class="lblock">         WWW-Authenticate  <span class="delete">9</span></td><td> </td><td class="rblock">         WWW-Authenticate  <span class="insert">8</span></td><td class="lineno" valign="top"></td></tr>
757      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
758      <tr><td class="lineno" valign="top"></td><td class="left">   P</td><td> </td><td class="right">   P</td><td class="lineno" valign="top"></td></tr>
759      <tr><td class="lineno" valign="top"></td><td class="left">      Protection Space  6</td><td> </td><td class="right">      Protection Space  6</td><td class="lineno" valign="top"></td></tr>
760      <tr><td><a name="diff0050" /></td></tr>
761      <tr><td class="lineno" valign="top"></td><td class="lblock">      Proxy-Authenticate header field  <span class="delete">8</span></td><td> </td><td class="rblock">      Proxy-Authenticate header field  <span class="insert">9</span></td><td class="lineno" valign="top"></td></tr>
762      <tr><td class="lineno" valign="top"></td><td class="lblock">      Proxy-Authorization header field  <span class="delete">8</span></td><td> </td><td class="rblock">      Proxy-Authorization header field  <span class="insert">9</span></td><td class="lineno" valign="top"></td></tr>
763      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
764      <tr><td class="lineno" valign="top"></td><td class="left">   R</td><td> </td><td class="right">   R</td><td class="lineno" valign="top"></td></tr>
765      <tr><td class="lineno" valign="top"></td><td class="left">      Realm  6</td><td> </td><td class="right">      Realm  6</td><td class="lineno" valign="top"></td></tr>
766      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
767      <tr><td class="lineno" valign="top"></td><td class="left">   W</td><td> </td><td class="right">   W</td><td class="lineno" valign="top"></td></tr>
768      <tr><td><a name="diff0051" /></td></tr>
769      <tr><td class="lineno" valign="top"></td><td class="lblock">      WWW-Authenticate header field  <span class="delete">9</span></td><td> </td><td class="rblock">      WWW-Authenticate header field  <span class="insert">8</span></td><td class="lineno" valign="top"></td></tr>
770      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
771      <tr><td class="lineno" valign="top"></td><td class="left">Authors' Addresses</td><td> </td><td class="right">Authors' Addresses</td><td class="lineno" valign="top"></td></tr>
772      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
773      <tr><td class="lineno" valign="top"></td><td class="left">   Roy T. Fielding (editor)</td><td> </td><td class="right">   Roy T. Fielding (editor)</td><td class="lineno" valign="top"></td></tr>
774      <tr><td class="lineno" valign="top"></td><td class="left">   Adobe Systems Incorporated</td><td> </td><td class="right">   Adobe Systems Incorporated</td><td class="lineno" valign="top"></td></tr>
775      <tr><td class="lineno" valign="top"></td><td class="left">   345 Park Ave</td><td> </td><td class="right">   345 Park Ave</td><td class="lineno" valign="top"></td></tr>
776      <tr><td class="lineno" valign="top"></td><td class="left">   San Jose, CA  95110</td><td> </td><td class="right">   San Jose, CA  95110</td><td class="lineno" valign="top"></td></tr>
777      <tr><td class="lineno" valign="top"></td><td class="left">   USA</td><td> </td><td class="right">   USA</td><td class="lineno" valign="top"></td></tr>
778      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
779      <tr><td class="lineno" valign="top"></td><td class="left">   EMail: fielding@gbiv.com</td><td> </td><td class="right">   EMail: fielding@gbiv.com</td><td class="lineno" valign="top"></td></tr>
780
781     <tr><td></td><td class="left"></td><td> </td><td class="right"></td><td></td></tr>
782     <tr bgcolor="gray"><th colspan="5" align="center"><a name="end">&nbsp;End of changes. 51 change blocks.&nbsp;</a></th></tr>
783     <tr class="stats"><td></td><th><i>154 lines changed or deleted</i></th><th><i> </i></th><th><i>233 lines changed or added</i></th><td></td></tr>
784     <tr><td colspan="5" align="center" class="small"><br/>This html diff was produced by rfcdiff 1.38. The latest version is available from <a href="http://www.tools.ietf.org/tools/rfcdiff/" >http://tools.ietf.org/tools/rfcdiff/</a> </td></tr>
785   </table>
786   </body>
787   </html>
Note: See TracBrowser for help on using the repository browser.