source: draft-ietf-httpbis/latest/p7-auth.xml @ 1101

Last change on this file since 1101 was 1101, checked in by julian.reschke@…, 9 years ago

use mdash for long dashes, make use of dashes consistent

  • Property svn:eol-style set to native
File size: 48.2 KB
Line 
1<?xml version="1.0" encoding="utf-8"?>
2<?xml-stylesheet type='text/xsl' href='../myxml2rfc.xslt'?>
3<!DOCTYPE rfc [
4  <!ENTITY MAY "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MAY</bcp14>">
5  <!ENTITY MUST "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MUST</bcp14>">
6  <!ENTITY MUST-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MUST NOT</bcp14>">
7  <!ENTITY OPTIONAL "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>OPTIONAL</bcp14>">
8  <!ENTITY RECOMMENDED "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>RECOMMENDED</bcp14>">
9  <!ENTITY REQUIRED "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>REQUIRED</bcp14>">
10  <!ENTITY SHALL "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHALL</bcp14>">
11  <!ENTITY SHALL-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHALL NOT</bcp14>">
12  <!ENTITY SHOULD "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHOULD</bcp14>">
13  <!ENTITY SHOULD-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHOULD NOT</bcp14>">
14  <!ENTITY ID-VERSION "latest">
15  <!ENTITY ID-MONTH "January">
16  <!ENTITY ID-YEAR "2011">
17  <!ENTITY mdash "&#8212;">
18  <!ENTITY notation                     "<xref target='Part1' x:rel='#notation' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
19  <!ENTITY notation-abnf                "<xref target='Part1' x:rel='#notation.abnf' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
20  <!ENTITY basic-rules                  "<xref target='Part1' x:rel='#basic.rules' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
21  <!ENTITY effective-request-uri        "<xref target='Part1' x:rel='#effective.request.uri' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
22  <!ENTITY end-to-end.and-hop-by-hop    "<xref target='Part1' x:rel='#end-to-end.and.hop-by-hop.header-fields' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
23  <!ENTITY shared-and-non-shared-caches "<xref target='Part6' x:rel='#shared.and.non-shared.caches' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
24]>
25<?rfc toc="yes" ?>
26<?rfc symrefs="yes" ?>
27<?rfc sortrefs="yes" ?>
28<?rfc compact="yes"?>
29<?rfc subcompact="no" ?>
30<?rfc linkmailto="no" ?>
31<?rfc editing="no" ?>
32<?rfc comments="yes"?>
33<?rfc inline="yes"?>
34<?rfc rfcedstyle="yes"?>
35<?rfc-ext allow-markup-in-artwork="yes" ?>
36<?rfc-ext include-references-in-index="yes" ?>
37<rfc obsoletes="2616" updates="2617" category="std" x:maturity-level="draft"
38     ipr="pre5378Trust200902" docName="draft-ietf-httpbis-p7-auth-&ID-VERSION;"
39     xmlns:x='http://purl.org/net/xml2rfc/ext'>
40<front>
41
42  <title abbrev="HTTP/1.1, Part 7">HTTP/1.1, part 7: Authentication</title>
43
44  <author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor">
45    <organization abbrev="Day Software">Day Software</organization>
46    <address>
47      <postal>
48        <street>23 Corporate Plaza DR, Suite 280</street>
49        <city>Newport Beach</city>
50        <region>CA</region>
51        <code>92660</code>
52        <country>USA</country>
53      </postal>
54      <phone>+1-949-706-5300</phone>
55      <facsimile>+1-949-706-5305</facsimile>
56      <email>fielding@gbiv.com</email>
57      <uri>http://roy.gbiv.com/</uri>
58    </address>
59  </author>
60
61  <author initials="J." surname="Gettys" fullname="Jim Gettys">
62    <organization abbrev="Alcatel-Lucent">Alcatel-Lucent Bell Labs</organization>
63    <address>
64      <postal>
65        <street>21 Oak Knoll Road</street>
66        <city>Carlisle</city>
67        <region>MA</region>
68        <code>01741</code>
69        <country>USA</country>
70      </postal>
71      <email>jg@freedesktop.org</email>
72      <uri>http://gettys.wordpress.com/</uri>
73    </address>
74  </author>
75 
76  <author initials="J." surname="Mogul" fullname="Jeffrey C. Mogul">
77    <organization abbrev="HP">Hewlett-Packard Company</organization>
78    <address>
79      <postal>
80        <street>HP Labs, Large Scale Systems Group</street>
81        <street>1501 Page Mill Road, MS 1177</street>
82        <city>Palo Alto</city>
83        <region>CA</region>
84        <code>94304</code>
85        <country>USA</country>
86      </postal>
87      <email>JeffMogul@acm.org</email>
88    </address>
89  </author>
90
91  <author initials="H." surname="Frystyk" fullname="Henrik Frystyk Nielsen">
92    <organization abbrev="Microsoft">Microsoft Corporation</organization>
93    <address>
94      <postal>
95        <street>1 Microsoft Way</street>
96        <city>Redmond</city>
97        <region>WA</region>
98        <code>98052</code>
99        <country>USA</country>
100      </postal>
101      <email>henrikn@microsoft.com</email>
102    </address>
103  </author>
104
105  <author initials="L." surname="Masinter" fullname="Larry Masinter">
106    <organization abbrev="Adobe Systems">Adobe Systems, Incorporated</organization>
107    <address>
108      <postal>
109        <street>345 Park Ave</street>
110        <city>San Jose</city>
111        <region>CA</region>
112        <code>95110</code>
113        <country>USA</country>
114      </postal>
115      <email>LMM@acm.org</email>
116      <uri>http://larry.masinter.net/</uri>
117    </address>
118  </author>
119 
120  <author initials="P." surname="Leach" fullname="Paul J. Leach">
121    <organization abbrev="Microsoft">Microsoft Corporation</organization>
122    <address>
123      <postal>
124        <street>1 Microsoft Way</street>
125        <city>Redmond</city>
126        <region>WA</region>
127        <code>98052</code>
128      </postal>
129      <email>paulle@microsoft.com</email>
130    </address>
131  </author>
132   
133  <author initials="T." surname="Berners-Lee" fullname="Tim Berners-Lee">
134    <organization abbrev="W3C/MIT">World Wide Web Consortium</organization>
135    <address>
136      <postal>
137        <street>MIT Computer Science and Artificial Intelligence Laboratory</street>
138        <street>The Stata Center, Building 32</street>
139        <street>32 Vassar Street</street>
140        <city>Cambridge</city>
141        <region>MA</region>
142        <code>02139</code>
143        <country>USA</country>
144      </postal>
145      <email>timbl@w3.org</email>
146      <uri>http://www.w3.org/People/Berners-Lee/</uri>
147    </address>
148  </author>
149
150  <author initials="Y." surname="Lafon" fullname="Yves Lafon" role="editor">
151    <organization abbrev="W3C">World Wide Web Consortium</organization>
152    <address>
153      <postal>
154        <street>W3C / ERCIM</street>
155        <street>2004, rte des Lucioles</street>
156        <city>Sophia-Antipolis</city>
157        <region>AM</region>
158        <code>06902</code>
159        <country>France</country>
160      </postal>
161      <email>ylafon@w3.org</email>
162      <uri>http://www.raubacapeu.net/people/yves/</uri>
163    </address>
164  </author>
165
166  <author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor">
167    <organization abbrev="greenbytes">greenbytes GmbH</organization>
168    <address>
169      <postal>
170        <street>Hafenweg 16</street>
171        <city>Muenster</city><region>NW</region><code>48155</code>
172        <country>Germany</country>
173      </postal>
174      <phone>+49 251 2807760</phone>
175      <facsimile>+49 251 2807761</facsimile>
176      <email>julian.reschke@greenbytes.de</email>
177      <uri>http://greenbytes.de/tech/webdav/</uri>
178    </address>
179  </author>
180
181  <date month="&ID-MONTH;" year="&ID-YEAR;"/>
182  <workgroup>HTTPbis Working Group</workgroup>
183
184<abstract>
185<t>
186   The Hypertext Transfer Protocol (HTTP) is an application-level
187   protocol for distributed, collaborative, hypermedia information
188   systems. HTTP has been in use by the World Wide Web global information
189   initiative since 1990. This document is Part 7 of the seven-part specification
190   that defines the protocol referred to as "HTTP/1.1" and, taken together,
191   obsoletes RFC 2616.  Part 7 defines HTTP Authentication.
192</t>
193</abstract>
194
195<note title="Editorial Note (To be removed by RFC Editor)">
196  <t>
197    Discussion of this draft should take place on the HTTPBIS working group
198    mailing list (ietf-http-wg@w3.org). The current issues list is
199    at <eref target="http://tools.ietf.org/wg/httpbis/trac/report/3"/>
200    and related documents (including fancy diffs) can be found at
201    <eref target="http://tools.ietf.org/wg/httpbis/"/>.
202  </t>
203  <t>
204    The changes in this draft are summarized in <xref target="changes.since.12"/>.
205  </t>
206</note>
207</front>
208<middle>
209<section title="Introduction" anchor="introduction">
210<t>
211   This document defines HTTP/1.1 access control and authentication. It
212   includes the relevant parts of <xref target="RFC2616" x:fmt="none">RFC 2616</xref>
213   with only minor changes, plus the general framework for HTTP authentication,
214   as previously defined in "HTTP Authentication: Basic and Digest Access
215   Authentication" (<xref target="RFC2617"/>).
216</t>
217<t>
218   HTTP provides several &OPTIONAL; challenge-response authentication
219   mechanisms which can be used by a server to challenge a client request and
220   by a client to provide authentication information. The "basic" and "digest"
221   authentication schemes continue to be specified in
222   <xref target="RFC2617" x:fmt="none">RFC 2617</xref>.
223</t>
224
225<section title="Requirements" anchor="intro.requirements">
226<t>
227   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
228   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
229   document are to be interpreted as described in <xref target="RFC2119"/>.
230</t>
231<t>
232   An implementation is not compliant if it fails to satisfy one or more
233   of the "MUST" or "REQUIRED" level requirements for the protocols it
234   implements. An implementation that satisfies all the "MUST" or "REQUIRED"
235   level and all the "SHOULD" level requirements for its protocols is said
236   to be "unconditionally compliant"; one that satisfies all the "MUST"
237   level requirements but not all the "SHOULD" level requirements for its
238   protocols is said to be "conditionally compliant".
239</t>
240</section>
241
242<section title="Syntax Notation" anchor="notation">
243  <x:anchor-alias value="ALPHA"/>
244  <x:anchor-alias value="CR"/>
245  <x:anchor-alias value="DIGIT"/>
246  <x:anchor-alias value="LF"/>
247  <x:anchor-alias value="OCTET"/>
248  <x:anchor-alias value="VCHAR"/>
249  <x:anchor-alias value="SP"/>
250  <x:anchor-alias value="WSP"/>
251<t>
252  This specification uses the ABNF syntax defined in &notation; (which
253  extends the syntax defined in <xref target="RFC5234"/> with a list rule).
254  <xref target="collected.abnf"/> shows the collected ABNF, with the list
255  rule expanded.
256</t>
257<t>
258  The following core rules are included by
259  reference, as defined in <xref target="RFC5234" x:fmt="," x:sec="B.1"/>:
260  ALPHA (letters), CR (carriage return), CRLF (CR LF), CTL (controls),
261  DIGIT (decimal 0-9), DQUOTE (double quote),
262  HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed),
263  OCTET (any 8-bit sequence of data), SP (space),
264  VCHAR (any visible USASCII character),
265  and WSP (whitespace).
266</t>
267
268<section title="Core Rules" anchor="core.rules">
269   <x:anchor-alias value="quoted-string"/>
270   <x:anchor-alias value="token"/>
271   <x:anchor-alias value="OWS"/>
272<t>
273   The core rules below are defined in &basic-rules;:
274</t>
275<figure><artwork type="abnf2616">
276  <x:ref>quoted-string</x:ref> = &lt;quoted-string, defined in &basic-rules;&gt;
277  <x:ref>token</x:ref>         = &lt;token, defined in &basic-rules;&gt;
278  <x:ref>OWS</x:ref>           = &lt;OWS, defined in &basic-rules;&gt;
279</artwork></figure>
280</section>
281</section>
282</section>
283
284<section title="Access Authentication Framework" anchor="access.authentication.framework">
285  <x:anchor-alias value="auth-scheme"/>
286  <x:anchor-alias value="auth-param"/>
287  <x:anchor-alias value="challenge"/>
288  <x:anchor-alias value="credentials"/>
289<t>
290   HTTP provides a simple challenge-response authentication mechanism
291   that can be used by a server to challenge a client request and by a
292   client to provide authentication information. It uses an extensible,
293   case-insensitive token to identify the authentication scheme,
294   followed by a comma-separated list of attribute-value pairs which
295   carry the parameters necessary for achieving authentication via that
296   scheme.
297</t>
298<figure><artwork type="abnf2616"><iref item="auth-scheme" primary="true"/><iref item="auth-param" primary="true"/>
299  auth-scheme    = token
300  auth-param     = token "=" ( token / quoted-string )
301</artwork></figure>
302<t>
303   The 401 (Unauthorized) response message is used by an origin server
304   to challenge the authorization of a user agent. This response &MUST;
305   include a WWW-Authenticate header field containing at least one
306   challenge applicable to the requested resource. The 407 (Proxy
307   Authentication Required) response message is used by a proxy to
308   challenge the authorization of a client and &MUST; include a Proxy-Authenticate
309   header field containing at least one challenge
310   applicable to the proxy for the requested resource.
311</t>
312<figure><artwork type="abnf2616"><iref item="challenge" primary="true"/>
313  <x:ref>challenge</x:ref>   = <x:ref>auth-scheme</x:ref> 1*<x:ref>SP</x:ref> 1#<x:ref>auth-param</x:ref>
314</artwork></figure>
315<x:note>
316  <t>
317   <x:h>Note:</x:h> User agents will need to take special care in parsing the WWW-Authenticate
318   or Proxy-Authenticate header field value if it contains
319   more than one challenge, or if more than one WWW-Authenticate header
320   field is provided, since the contents of a challenge can itself
321   contain a comma-separated list of authentication parameters.
322  </t>
323</x:note>
324<x:note>
325  <t>
326      <x:h>Note:</x:h> Many browsers fail to parse challenges containing unknown
327      schemes. A workaround for this problem is to list well-supported schemes
328      (such as "basic") first.
329  </t>
330</x:note>
331<t>
332   The authentication parameter realm is defined for all authentication
333   schemes:
334</t>
335<figure><artwork type="abnf2616"><iref item="realm" primary="true"/><iref item="realm-value" primary="true"/>
336  realm       = "realm" "=" realm-value
337  realm-value = quoted-string
338</artwork></figure>
339<t>
340   The realm directive (case-insensitive) is required for all
341   authentication schemes that issue a challenge. The realm value
342   (case-sensitive), in combination with the canonical root URI
343   (the scheme and authority components of the effective request URI; see
344   <xref target="Part1" x:fmt="of" x:rel="#effective.request.uri"/>) of the server being accessed, defines the protection space.
345   These realms allow the protected resources on a server to be
346   partitioned into a set of protection spaces, each with its own
347   authentication scheme and/or authorization database. The realm value
348   is a string, generally assigned by the origin server, which can have
349   additional semantics specific to the authentication scheme. Note that
350   there can be multiple challenges with the same auth-scheme but
351   different realms.
352</t>
353<t>
354   A user agent that wishes to authenticate itself with an origin
355   server &mdash; usually, but not necessarily, after receiving a 401
356   (Unauthorized) &mdash; &MAY; do so by including an Authorization header field
357   with the request. A client that wishes to authenticate itself with a
358   proxy &mdash; usually, but not necessarily, after receiving a 407 (Proxy
359   Authentication Required) &mdash; &MAY; do so by including a Proxy-Authorization
360   header field with the request.  Both the Authorization
361   field value and the Proxy-Authorization field value consist of
362   credentials containing the authentication information of the client
363   for the realm of the resource being requested. The user agent &MUST;
364   choose to use one of the challenges with the strongest auth-scheme it
365   understands and request credentials from the user based upon that
366   challenge.
367</t>
368<figure><artwork type="abnf2616"><iref item="credentials" primary="true"/>
369  <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> ( <x:ref>token</x:ref>
370                            / <x:ref>quoted-string</x:ref>
371                            / #<x:ref>auth-param</x:ref> )
372</artwork></figure>
373<t>
374   The protection space determines the domain over which credentials can
375   be automatically applied. If a prior request has been authorized, the
376   same credentials &MAY; be reused for all other requests within that
377   protection space for a period of time determined by the
378   authentication scheme, parameters, and/or user preference. Unless
379   otherwise defined by the authentication scheme, a single protection
380   space cannot extend outside the scope of its server.
381</t>
382<t>
383   If the origin server does not wish to accept the credentials sent
384   with a request, it &SHOULD; return a 401 (Unauthorized) response. The
385   response &MUST; include a WWW-Authenticate header field containing at
386   least one (possibly new) challenge applicable to the requested
387   resource. If a proxy does not accept the credentials sent with a
388   request, it &SHOULD; return a 407 (Proxy Authentication Required). The
389   response &MUST; include a Proxy-Authenticate header field containing a
390   (possibly new) challenge applicable to the proxy for the requested
391   resource.
392</t>
393<t>
394   The HTTP protocol does not restrict applications to this simple
395   challenge-response mechanism for access authentication. Additional
396   mechanisms &MAY; be used, such as encryption at the transport level or
397   via message encapsulation, and with additional header fields
398   specifying authentication information. However, these additional
399   mechanisms are not defined by this specification.
400</t>
401<t>
402   Proxies &MUST; be completely transparent regarding user agent
403   authentication by origin servers. That is, they &MUST; forward the
404   WWW-Authenticate and Authorization headers untouched, and follow the
405   rules found in <xref target="header.authorization"/>. Both the Proxy-Authenticate and
406   the Proxy-Authorization header fields are hop-by-hop headers (see
407   &end-to-end.and-hop-by-hop;).
408</t>
409
410<section title="Authentication Scheme Registry" anchor="authentication.scheme.registry">
411<t>
412  The HTTP Authentication Scheme Registry defines the name space for the
413  authentication schemes in challenges and credentials.
414</t>
415<t>
416  Registrations &MUST; include the following fields:
417  <list style="symbols">
418    <t>Authentication Scheme Name</t>
419    <t>Pointer to specification text</t>
420  </list>
421</t>
422<t>
423  Values to be added to this name space are subject to IETF review
424  (<xref target="RFC5226" x:fmt="," x:sec="4.1"/>).
425</t>
426<t>
427  The registry itself is maintained at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
428</t>
429</section>
430
431</section>
432
433<section title="Status Code Definitions" anchor="status.code.definitions">
434<section title="401 Unauthorized" anchor="status.401">
435  <iref primary="true" item="401 Unauthorized (status code)" x:for-anchor=""/>
436  <iref primary="true" item="Status Codes" subitem="401 Unauthorized" x:for-anchor=""/>
437<t>
438   The request requires user authentication. The response &MUST; include a
439   WWW-Authenticate header field (<xref target="header.www-authenticate"/>) containing a challenge
440   applicable to the target resource. The client &MAY; repeat the
441   request with a suitable Authorization header field (<xref target="header.authorization"/>). If
442   the request already included Authorization credentials, then the 401
443   response indicates that authorization has been refused for those
444   credentials. If the 401 response contains the same challenge as the
445   prior response, and the user agent has already attempted
446   authentication at least once, then the user &SHOULD; be presented the
447   representation that was given in the response, since that representation might
448   include relevant diagnostic information.
449</t>
450</section>
451<section title="407 Proxy Authentication Required" anchor="status.407">
452  <iref primary="true" item="407 Proxy Authentication Required (status code)" x:for-anchor=""/>
453  <iref primary="true" item="Status Codes" subitem="407 Proxy Authentication Required" x:for-anchor=""/>
454<t>
455   This code is similar to 401 (Unauthorized), but indicates that the
456   client ought to first authenticate itself with the proxy. The proxy &MUST;
457   return a Proxy-Authenticate header field (<xref target="header.proxy-authenticate"/>) containing a
458   challenge applicable to the proxy for the target resource. The
459   client &MAY; repeat the request with a suitable Proxy-Authorization
460   header field (<xref target="header.proxy-authorization"/>).
461</t>
462</section>
463</section>
464
465<section title="Header Field Definitions" anchor="header.fields">
466<t>
467   This section defines the syntax and semantics of HTTP/1.1 header fields
468   related to authentication.
469</t>
470
471<section title="Authorization" anchor="header.authorization">
472  <iref primary="true" item="Authorization header" x:for-anchor=""/>
473  <iref primary="true" item="Headers" subitem="Authorization" x:for-anchor=""/>
474  <x:anchor-alias value="Authorization"/>
475  <x:anchor-alias value="Authorization-v"/>
476<t>
477   The "Authorization" request-header field allows a user agent to authenticate
478   itself with a server &mdash; usually, but not necessarily, after receiving a 401
479   (Unauthorized) response. Its value consists of credentials containing
480   information of the user agent for the realm of the resource being
481   requested.
482</t>
483<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Authorization"/><iref primary="true" item="Grammar" subitem="Authorization-v"/>
484  <x:ref>Authorization</x:ref>   = "Authorization" ":" <x:ref>OWS</x:ref> <x:ref>Authorization-v</x:ref>
485  <x:ref>Authorization-v</x:ref> = <x:ref>credentials</x:ref>
486</artwork></figure>
487<t>
488   If a request is
489   authenticated and a realm specified, the same credentials &SHOULD;
490   be valid for all other requests within this realm (assuming that
491   the authentication scheme itself does not require otherwise, such
492   as credentials that vary according to a challenge value or using
493   synchronized clocks).
494</t>
495<t>
496      When a shared cache (see &shared-and-non-shared-caches;) receives a request
497      containing an Authorization field, it &MUST-NOT; return the
498      corresponding response as a reply to any other request, unless one
499      of the following specific exceptions holds:
500</t>
501<t>
502  <list style="numbers">
503      <t>If the response includes the "s-maxage" cache-control
504         directive, the cache &MAY; use that response in replying to a
505         subsequent request. But (if the specified maximum age has
506         passed) a proxy cache &MUST; first revalidate it with the origin
507         server, using the request-header fields from the new request to allow
508         the origin server to authenticate the new request. (This is the
509         defined behavior for s-maxage.) If the response includes "s-maxage=0",
510         the proxy &MUST; always revalidate it before re-using
511         it.</t>
512
513      <t>If the response includes the "must-revalidate" cache-control
514         directive, the cache &MAY; use that response in replying to a
515         subsequent request. But if the response is stale, all caches
516         &MUST; first revalidate it with the origin server, using the
517         request-header fields from the new request to allow the origin server
518         to authenticate the new request.</t>
519
520      <t>If the response includes the "public" cache-control directive,
521         it &MAY; be returned in reply to any subsequent request.</t>
522  </list>
523</t>
524</section>
525
526<section title="Proxy-Authenticate" anchor="header.proxy-authenticate">
527  <iref primary="true" item="Proxy-Authenticate header" x:for-anchor=""/>
528  <iref primary="true" item="Headers" subitem="Proxy-Authenticate" x:for-anchor=""/>
529  <x:anchor-alias value="Proxy-Authenticate"/>
530  <x:anchor-alias value="Proxy-Authenticate-v"/>
531<t>
532   The "Proxy-Authenticate" response-header field consists of a challenge that
533   indicates the authentication scheme and parameters applicable to the proxy
534   for this effective request URI (&effective-request-uri;). It &MUST; be included as part
535   of a 407 (Proxy Authentication Required) response.
536</t>
537<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Proxy-Authenticate"/><iref primary="true" item="Grammar" subitem="Proxy-Authenticate-v"/>
538  <x:ref>Proxy-Authenticate</x:ref>   = "Proxy-Authenticate" ":" <x:ref>OWS</x:ref>
539                         <x:ref>Proxy-Authenticate-v</x:ref>
540  <x:ref>Proxy-Authenticate-v</x:ref> = 1#<x:ref>challenge</x:ref>
541</artwork></figure>
542<t>
543   Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to
544   the current connection and &SHOULD-NOT;  be passed on to downstream
545   clients. However, an intermediate proxy might need to obtain its own
546   credentials by requesting them from the downstream client, which in
547   some circumstances will appear as if the proxy is forwarding the
548   Proxy-Authenticate header field.
549</t>
550</section>
551
552<section title="Proxy-Authorization" anchor="header.proxy-authorization">
553  <iref primary="true" item="Proxy-Authorization header" x:for-anchor=""/>
554  <iref primary="true" item="Headers" subitem="Proxy-Authorization" x:for-anchor=""/>
555  <x:anchor-alias value="Proxy-Authorization"/>
556  <x:anchor-alias value="Proxy-Authorization-v"/>
557<t>
558   The "Proxy-Authorization" request-header field allows the client to
559   identify itself (or its user) to a proxy which requires
560   authentication. Its value consists of
561   credentials containing the authentication information of the user
562   agent for the proxy and/or realm of the resource being requested.
563</t>
564<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Proxy-Authorization"/><iref primary="true" item="Grammar" subitem="Proxy-Authorization-v"/>
565  <x:ref>Proxy-Authorization</x:ref>   = "Proxy-Authorization" ":" <x:ref>OWS</x:ref>
566                          <x:ref>Proxy-Authorization-v</x:ref>
567  <x:ref>Proxy-Authorization-v</x:ref> = <x:ref>credentials</x:ref>
568</artwork></figure>
569<t>
570   Unlike Authorization, the Proxy-Authorization header field applies only to
571   the next outbound proxy that demanded authentication using the Proxy-Authenticate
572   field. When multiple proxies are used in a chain, the
573   Proxy-Authorization header field is consumed by the first outbound
574   proxy that was expecting to receive credentials. A proxy &MAY; relay
575   the credentials from the client request to the next proxy if that is
576   the mechanism by which the proxies cooperatively authenticate a given
577   request.
578</t>
579</section>
580
581<section title="WWW-Authenticate" anchor="header.www-authenticate">
582  <iref primary="true" item="WWW-Authenticate header" x:for-anchor=""/>
583  <iref primary="true" item="Headers" subitem="WWW-Authenticate" x:for-anchor=""/>
584  <x:anchor-alias value="WWW-Authenticate"/>
585  <x:anchor-alias value="WWW-Authenticate-v"/>
586<t>
587   The "WWW-Authenticate" response-header field consists of at least one
588   challenge that indicates the authentication scheme(s) and parameters
589   applicable to the effective request URI (&effective-request-uri;). It &MUST; be included in 401
590   (Unauthorized) response messages.
591</t>
592<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="WWW-Authenticate"/><iref primary="true" item="Grammar" subitem="WWW-Authenticate-v"/>
593  <x:ref>WWW-Authenticate</x:ref>   = "WWW-Authenticate" ":" <x:ref>OWS</x:ref> <x:ref>WWW-Authenticate-v</x:ref>
594  <x:ref>WWW-Authenticate-v</x:ref> = 1#<x:ref>challenge</x:ref>
595</artwork></figure>
596<t>
597   User agents are advised to take special care in parsing the WWW-Authenticate
598   field value as it might contain more than one challenge,
599   or if more than one WWW-Authenticate header field is provided, the
600   contents of a challenge itself can contain a comma-separated list of
601   authentication parameters.
602</t>
603</section>
604
605</section>
606
607<section title="IANA Considerations" anchor="IANA.considerations">
608
609<section title="Authenticaton Scheme Registry" anchor="authentication.scheme.registration">
610<t>
611  The registration procedure for HTTP Authentication Schemes is defined by
612  <xref target="authentication.scheme.registry"/> of this document.
613</t>
614<t>
615   The HTTP Method Authentication Scheme shall be created at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
616</t>
617</section>
618
619<section title="Status Code Registration" anchor="status.code.registration">
620<t>
621   The HTTP Status Code Registry located at <eref target="http://www.iana.org/assignments/http-status-codes"/>
622   shall be updated with the registrations below:
623</t>
624<?BEGININC p7-auth.iana-status-codes ?>
625<!--AUTOGENERATED FROM extract-status-code-defs.xslt, do not edit manually-->
626<texttable align="left" suppress-title="true" anchor="iana.status.code.registration.table">
627   <ttcol>Value</ttcol>
628   <ttcol>Description</ttcol>
629   <ttcol>Reference</ttcol>
630   <c>401</c>
631   <c>Unauthorized</c>
632   <c>
633      <xref target="status.401"/>
634   </c>
635   <c>407</c>
636   <c>Proxy Authentication Required</c>
637   <c>
638      <xref target="status.407"/>
639   </c>
640</texttable>
641<!--(END)-->
642<?ENDINC p7-auth.iana-status-codes ?>
643</section>
644
645<section title="Header Field Registration" anchor="header.field.registration">
646<t>
647   The Message Header Field Registry located at <eref target="http://www.iana.org/assignments/message-headers/message-header-index.html"/> shall be updated
648   with the permanent registrations below (see <xref target="RFC3864"/>):
649</t>
650<?BEGININC p7-auth.iana-headers ?>
651<!--AUTOGENERATED FROM extract-header-defs.xslt, do not edit manually-->
652<texttable align="left" suppress-title="true" anchor="iana.header.registration.table">
653   <ttcol>Header Field Name</ttcol>
654   <ttcol>Protocol</ttcol>
655   <ttcol>Status</ttcol>
656   <ttcol>Reference</ttcol>
657
658   <c>Authorization</c>
659   <c>http</c>
660   <c>standard</c>
661   <c>
662      <xref target="header.authorization"/>
663   </c>
664   <c>Proxy-Authenticate</c>
665   <c>http</c>
666   <c>standard</c>
667   <c>
668      <xref target="header.proxy-authenticate"/>
669   </c>
670   <c>Proxy-Authorization</c>
671   <c>http</c>
672   <c>standard</c>
673   <c>
674      <xref target="header.proxy-authorization"/>
675   </c>
676   <c>WWW-Authenticate</c>
677   <c>http</c>
678   <c>standard</c>
679   <c>
680      <xref target="header.www-authenticate"/>
681   </c>
682</texttable>
683<!--(END)-->
684<?ENDINC p7-auth.iana-headers ?>
685<t>
686   The change controller is: "IETF (iesg@ietf.org) - Internet Engineering Task Force".
687</t>
688</section>
689</section>
690
691<section title="Security Considerations" anchor="security.considerations">
692<t>
693   This section is meant to inform application developers, information
694   providers, and users of the security limitations in HTTP/1.1 as
695   described by this document. The discussion does not include
696   definitive solutions to the problems revealed, though it does make
697   some suggestions for reducing security risks.
698</t>
699
700<section title="Authentication Credentials and Idle Clients" anchor="auth.credentials.and.idle.clients">
701<t>
702   Existing HTTP clients and user agents typically retain authentication
703   information indefinitely. HTTP/1.1 does not provide a method for a
704   server to direct clients to discard these cached credentials. This is
705   a significant defect that requires further extensions to HTTP.
706   Circumstances under which credential caching can interfere with the
707   application's security model include but are not limited to:
708  <list style="symbols">
709     <t>Clients which have been idle for an extended period following
710        which the server might wish to cause the client to reprompt the
711        user for credentials.</t>
712
713     <t>Applications which include a session termination indication
714        (such as a "logout" or "commit" button on a page) after which
715        the server side of the application "knows" that there is no
716        further reason for the client to retain the credentials.</t>
717  </list>
718</t>
719<t>
720   This is currently under separate study. There are a number of work-arounds
721   to parts of this problem, and we encourage the use of
722   password protection in screen savers, idle time-outs, and other
723   methods which mitigate the security problems inherent in this
724   problem. In particular, user agents which cache credentials are
725   encouraged to provide a readily accessible mechanism for discarding
726   cached credentials under user control.
727</t>
728</section>
729</section>
730
731<section title="Acknowledgments" anchor="ack">
732<t>
733  This specification takes over the definition of the HTTP Authentication
734  Framework, previously defined in <xref target="RFC2616" x:fmt="none">RFC 2617</xref>. We thank to John Franks,
735  Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence,
736  Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work
737  on that specification.
738</t>
739<t>
740  <cref anchor="acks">HTTPbis acknowledgements.</cref>
741</t>
742</section>
743</middle>
744
745<back>
746
747<references title="Normative References">
748
749<reference anchor="Part1">
750  <front>
751    <title abbrev="HTTP/1.1">HTTP/1.1, part 1: URIs, Connections, and Message Parsing</title>
752    <author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor">
753      <organization abbrev="Day Software">Day Software</organization>
754      <address><email>fielding@gbiv.com</email></address>
755    </author>
756    <author initials="J." surname="Gettys" fullname="Jim Gettys">
757      <organization abbrev="Alcatel-Lucent">Alcatel-Lucent Bell Labs</organization>
758      <address><email>jg@freedesktop.org</email></address>
759    </author>
760    <author initials="J." surname="Mogul" fullname="Jeffrey C. Mogul">
761      <organization abbrev="HP">Hewlett-Packard Company</organization>
762      <address><email>JeffMogul@acm.org</email></address>
763    </author>
764    <author initials="H." surname="Frystyk" fullname="Henrik Frystyk Nielsen">
765      <organization abbrev="Microsoft">Microsoft Corporation</organization>
766      <address><email>henrikn@microsoft.com</email></address>
767    </author>
768    <author initials="L." surname="Masinter" fullname="Larry Masinter">
769      <organization abbrev="Adobe Systems">Adobe Systems, Incorporated</organization>
770      <address><email>LMM@acm.org</email></address>
771    </author>
772    <author initials="P." surname="Leach" fullname="Paul J. Leach">
773      <organization abbrev="Microsoft">Microsoft Corporation</organization>
774      <address><email>paulle@microsoft.com</email></address>
775    </author>
776    <author initials="T." surname="Berners-Lee" fullname="Tim Berners-Lee">
777      <organization abbrev="W3C/MIT">World Wide Web Consortium</organization>
778      <address><email>timbl@w3.org</email></address>
779    </author>
780    <author initials="Y." surname="Lafon" fullname="Yves Lafon" role="editor">
781      <organization abbrev="W3C">World Wide Web Consortium</organization>
782      <address><email>ylafon@w3.org</email></address>
783    </author>
784    <author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor">
785      <organization abbrev="greenbytes">greenbytes GmbH</organization>
786      <address><email>julian.reschke@greenbytes.de</email></address>
787    </author>
788    <date month="&ID-MONTH;" year="&ID-YEAR;"/>
789  </front>
790  <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-p1-messaging-&ID-VERSION;"/>
791  <x:source href="p1-messaging.xml" basename="p1-messaging"/>
792</reference>
793
794<reference anchor="Part6">
795  <front>
796    <title abbrev="HTTP/1.1">HTTP/1.1, part 6: Caching</title>
797    <author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor">
798      <organization abbrev="Day Software">Day Software</organization>
799      <address><email>fielding@gbiv.com</email></address>
800    </author>
801    <author initials="J." surname="Gettys" fullname="Jim Gettys">
802      <organization abbrev="Alcatel-Lucent">Alcatel-Lucent Bell Labs</organization>
803      <address><email>jg@freedesktop.org</email></address>
804    </author>
805    <author initials="J." surname="Mogul" fullname="Jeffrey C. Mogul">
806      <organization abbrev="HP">Hewlett-Packard Company</organization>
807      <address><email>JeffMogul@acm.org</email></address>
808    </author>
809    <author initials="H." surname="Frystyk" fullname="Henrik Frystyk Nielsen">
810      <organization abbrev="Microsoft">Microsoft Corporation</organization>
811      <address><email>henrikn@microsoft.com</email></address>
812    </author>
813    <author initials="L." surname="Masinter" fullname="Larry Masinter">
814      <organization abbrev="Adobe Systems">Adobe Systems, Incorporated</organization>
815      <address><email>LMM@acm.org</email></address>
816    </author>
817    <author initials="P." surname="Leach" fullname="Paul J. Leach">
818      <organization abbrev="Microsoft">Microsoft Corporation</organization>
819      <address><email>paulle@microsoft.com</email></address>
820    </author>
821    <author initials="T." surname="Berners-Lee" fullname="Tim Berners-Lee">
822      <organization abbrev="W3C/MIT">World Wide Web Consortium</organization>
823      <address><email>timbl@w3.org</email></address>
824    </author>
825    <author initials="Y." surname="Lafon" fullname="Yves Lafon" role="editor">
826      <organization abbrev="W3C">World Wide Web Consortium</organization>
827      <address><email>ylafon@w3.org</email></address>
828    </author>
829    <author initials="M." surname="Nottingham" fullname="Mark Nottingham" role="editor">
830      <address><email>mnot@mnot.net</email></address>
831    </author>
832    <author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor">
833      <organization abbrev="greenbytes">greenbytes GmbH</organization>
834      <address><email>julian.reschke@greenbytes.de</email></address>
835    </author>
836    <date month="&ID-MONTH;" year="&ID-YEAR;"/>
837  </front>
838  <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-p6-cache-&ID-VERSION;"/>
839  <x:source href="p6-cache.xml" basename="p6-cache"/>
840</reference>
841
842<reference anchor="RFC2119">
843  <front>
844    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
845    <author initials="S." surname="Bradner" fullname="Scott Bradner">
846      <organization>Harvard University</organization>
847      <address><email>sob@harvard.edu</email></address>
848    </author>
849    <date month="March" year="1997"/>
850  </front>
851  <seriesInfo name="BCP" value="14"/>
852  <seriesInfo name="RFC" value="2119"/>
853</reference>
854
855<reference anchor="RFC5234">
856  <front>
857    <title abbrev="ABNF for Syntax Specifications">Augmented BNF for Syntax Specifications: ABNF</title>
858    <author initials="D." surname="Crocker" fullname="Dave Crocker" role="editor">
859      <organization>Brandenburg InternetWorking</organization>
860      <address>
861        <email>dcrocker@bbiw.net</email>
862      </address> 
863    </author>
864    <author initials="P." surname="Overell" fullname="Paul Overell">
865      <organization>THUS plc.</organization>
866      <address>
867        <email>paul.overell@thus.net</email>
868      </address>
869    </author>
870    <date month="January" year="2008"/>
871  </front>
872  <seriesInfo name="STD" value="68"/>
873  <seriesInfo name="RFC" value="5234"/>
874</reference>
875
876</references>
877
878<references title="Informative References">
879
880<reference anchor="RFC2616">
881  <front>
882    <title>Hypertext Transfer Protocol -- HTTP/1.1</title>
883    <author initials="R." surname="Fielding" fullname="R. Fielding">
884      <organization>University of California, Irvine</organization>
885      <address><email>fielding@ics.uci.edu</email></address>
886    </author>
887    <author initials="J." surname="Gettys" fullname="J. Gettys">
888      <organization>W3C</organization>
889      <address><email>jg@w3.org</email></address>
890    </author>
891    <author initials="J." surname="Mogul" fullname="J. Mogul">
892      <organization>Compaq Computer Corporation</organization>
893      <address><email>mogul@wrl.dec.com</email></address>
894    </author>
895    <author initials="H." surname="Frystyk" fullname="H. Frystyk">
896      <organization>MIT Laboratory for Computer Science</organization>
897      <address><email>frystyk@w3.org</email></address>
898    </author>
899    <author initials="L." surname="Masinter" fullname="L. Masinter">
900      <organization>Xerox Corporation</organization>
901      <address><email>masinter@parc.xerox.com</email></address>
902    </author>
903    <author initials="P." surname="Leach" fullname="P. Leach">
904      <organization>Microsoft Corporation</organization>
905      <address><email>paulle@microsoft.com</email></address>
906    </author>
907    <author initials="T." surname="Berners-Lee" fullname="T. Berners-Lee">
908      <organization>W3C</organization>
909      <address><email>timbl@w3.org</email></address>
910    </author>
911    <date month="June" year="1999"/>
912  </front>
913  <seriesInfo name="RFC" value="2616"/>
914</reference>
915
916<reference anchor="RFC2617">
917  <front>
918    <title abbrev="HTTP Authentication">HTTP Authentication: Basic and Digest Access Authentication</title>
919    <author initials="J." surname="Franks" fullname="John Franks">
920      <organization>Northwestern University, Department of Mathematics</organization>
921      <address><email>john@math.nwu.edu</email></address>
922    </author>
923    <author initials="P.M." surname="Hallam-Baker" fullname="Phillip M. Hallam-Baker">
924      <organization>Verisign Inc.</organization>
925      <address><email>pbaker@verisign.com</email></address>
926    </author>
927    <author initials="J.L." surname="Hostetler" fullname="Jeffery L. Hostetler">
928      <organization>AbiSource, Inc.</organization>
929      <address><email>jeff@AbiSource.com</email></address>
930    </author>
931    <author initials="S.D." surname="Lawrence" fullname="Scott D. Lawrence">
932      <organization>Agranat Systems, Inc.</organization>
933      <address><email>lawrence@agranat.com</email></address>
934    </author>
935    <author initials="P.J." surname="Leach" fullname="Paul J. Leach">
936      <organization>Microsoft Corporation</organization>
937      <address><email>paulle@microsoft.com</email></address>
938    </author>
939    <author initials="A." surname="Luotonen" fullname="Ari Luotonen">
940      <organization>Netscape Communications Corporation</organization>
941    </author>
942    <author initials="L." surname="Stewart" fullname="Lawrence C. Stewart">
943      <organization>Open Market, Inc.</organization>
944      <address><email>stewart@OpenMarket.com</email></address>
945    </author>
946    <date month="June" year="1999"/>
947  </front>
948  <seriesInfo name="RFC" value="2617"/>
949</reference>
950
951<reference anchor='RFC3864'>
952  <front>
953    <title>Registration Procedures for Message Header Fields</title>
954    <author initials='G.' surname='Klyne' fullname='G. Klyne'>
955      <organization>Nine by Nine</organization>
956      <address><email>GK-IETF@ninebynine.org</email></address>
957    </author>
958    <author initials='M.' surname='Nottingham' fullname='M. Nottingham'>
959      <organization>BEA Systems</organization>
960      <address><email>mnot@pobox.com</email></address>
961    </author>
962    <author initials='J.' surname='Mogul' fullname='J. Mogul'>
963      <organization>HP Labs</organization>
964      <address><email>JeffMogul@acm.org</email></address>
965    </author>
966    <date year='2004' month='September' />
967  </front>
968  <seriesInfo name='BCP' value='90' />
969  <seriesInfo name='RFC' value='3864' />
970</reference>
971
972<reference anchor='RFC5226'>
973  <front>
974    <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
975    <author initials='T.' surname='Narten' fullname='T. Narten'>
976      <organization>IBM</organization>
977      <address><email>narten@us.ibm.com</email></address>
978    </author>
979    <author initials='H.' surname='Alvestrand' fullname='H. Alvestrand'>
980      <organization>Google</organization>
981      <address><email>Harald@Alvestrand.no</email></address>
982    </author>
983    <date year='2008' month='May' />
984  </front>
985  <seriesInfo name='BCP' value='26' />
986  <seriesInfo name='RFC' value='5226' />
987</reference>
988
989</references>
990
991<!-- re-add this once we have changes
992<section title="Changes from RFC 2616" anchor="changes.from.rfc.2616">
993</section>
994 -->
995 
996<?BEGININC p7-auth.abnf-appendix ?>
997<section xmlns:x="http://purl.org/net/xml2rfc/ext" title="Collected ABNF" anchor="collected.abnf">
998<figure>
999<artwork type="abnf" name="p7-auth.parsed-abnf">
1000<x:ref>Authorization</x:ref> = "Authorization:" OWS Authorization-v
1001<x:ref>Authorization-v</x:ref> = credentials
1002
1003<x:ref>OWS</x:ref> = &lt;OWS, defined in [Part1], Section 1.2.2&gt;
1004
1005<x:ref>Proxy-Authenticate</x:ref> = "Proxy-Authenticate:" OWS Proxy-Authenticate-v
1006<x:ref>Proxy-Authenticate-v</x:ref> = *( "," OWS ) challenge *( OWS "," [ OWS
1007 challenge ] )
1008<x:ref>Proxy-Authorization</x:ref> = "Proxy-Authorization:" OWS
1009 Proxy-Authorization-v
1010<x:ref>Proxy-Authorization-v</x:ref> = credentials
1011
1012<x:ref>WWW-Authenticate</x:ref> = "WWW-Authenticate:" OWS WWW-Authenticate-v
1013<x:ref>WWW-Authenticate-v</x:ref> = *( "," OWS ) challenge *( OWS "," [ OWS
1014 challenge ] )
1015
1016<x:ref>auth-param</x:ref> = token "=" ( token / quoted-string )
1017<x:ref>auth-scheme</x:ref> = token
1018
1019<x:ref>challenge</x:ref> = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS
1020 auth-param ] )
1021<x:ref>credentials</x:ref> = auth-scheme ( token / quoted-string / [ ( "," /
1022 auth-param ) *( OWS "," [ OWS auth-param ] ) ] )
1023
1024<x:ref>quoted-string</x:ref> = &lt;quoted-string, defined in [Part1], Section 1.2.2&gt;
1025
1026realm = "realm=" realm-value
1027realm-value = quoted-string
1028
1029<x:ref>token</x:ref> = &lt;token, defined in [Part1], Section 1.2.2&gt;
1030</artwork>
1031</figure>
1032<figure><preamble>ABNF diagnostics:</preamble><artwork type="inline">
1033; Authorization defined but not used
1034; Proxy-Authenticate defined but not used
1035; Proxy-Authorization defined but not used
1036; WWW-Authenticate defined but not used
1037; realm defined but not used
1038</artwork></figure></section>
1039<?ENDINC p7-auth.abnf-appendix ?>
1040
1041<section title="Change Log (to be removed by RFC Editor before publication)"  anchor="change.log">
1042
1043<section title="Since RFC 2616">
1044<t>
1045  Extracted relevant partitions from <xref target="RFC2616"/>.
1046</t>
1047</section>
1048
1049<section title="Since draft-ietf-httpbis-p7-auth-00">
1050<t>
1051  Closed issues:
1052  <list style="symbols"> 
1053    <t>
1054      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/35"/>:
1055      "Normative and Informative references"
1056    </t>
1057  </list>
1058</t>
1059</section>
1060
1061<section title="Since draft-ietf-httpbis-p7-auth-01">
1062<t>
1063  Ongoing work on ABNF conversion (<eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/36"/>):
1064  <list style="symbols"> 
1065    <t>
1066      Explicitly import BNF rules for "challenge" and "credentials" from RFC2617.
1067    </t>
1068    <t>
1069      Add explicit references to BNF syntax and rules imported from other parts of the specification.
1070    </t>
1071  </list>
1072</t>
1073</section>
1074
1075<section title="Since draft-ietf-httpbis-p7-auth-02" anchor="changes.since.02">
1076<t>
1077  Ongoing work on IANA Message Header Field Registration (<eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/40"/>):
1078  <list style="symbols"> 
1079    <t>
1080      Reference RFC 3984, and update header field registrations for header fields defined
1081      in this document.
1082    </t>
1083  </list>
1084</t>
1085</section>
1086
1087<section title="Since draft-ietf-httpbis-p7-auth-03" anchor="changes.since.03">
1088<t>
1089</t>
1090</section>
1091
1092<section title="Since draft-ietf-httpbis-p7-auth-04" anchor="changes.since.04">
1093<t>
1094  Ongoing work on ABNF conversion (<eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/36"/>):
1095  <list style="symbols"> 
1096    <t>
1097      Use "/" instead of "|" for alternatives.
1098    </t>
1099    <t>
1100      Introduce new ABNF rules for "bad" whitespace ("BWS"), optional
1101      whitespace ("OWS") and required whitespace ("RWS").
1102    </t>
1103    <t>
1104      Rewrite ABNFs to spell out whitespace rules, factor out
1105      header field value format definitions.
1106    </t>
1107  </list>
1108</t>
1109</section>
1110
1111<section title="Since draft-ietf-httpbis-p7-auth-05" anchor="changes.since.05">
1112<t>
1113  Final work on ABNF conversion (<eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/36"/>):
1114  <list style="symbols"> 
1115    <t>
1116      Add appendix containing collected and expanded ABNF, reorganize ABNF introduction.
1117    </t>
1118  </list>
1119</t>
1120</section>
1121
1122<section title="Since draft-ietf-httpbis-p7-auth-06" anchor="changes.since.06">
1123<t>
1124  None.
1125</t>
1126</section>
1127
1128<section title="Since draft-ietf-httpbis-p7-auth-07" anchor="changes.since.07">
1129<t>
1130  Closed issues:
1131  <list style="symbols"> 
1132    <t>
1133      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/198"/>:
1134      "move IANA registrations for optional status codes"
1135    </t>
1136  </list>
1137</t>
1138</section>
1139
1140<section title="Since draft-ietf-httpbis-p7-auth-08" anchor="changes.since.08">
1141<t>
1142  No significant changes.
1143</t>
1144</section>
1145
1146<section title="Since draft-ietf-httpbis-p7-auth-09" anchor="changes.since.09">
1147<t>
1148  Partly resolved issues:
1149  <list style="symbols"> 
1150    <t>
1151      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/196"/>:
1152      "Term for the requested resource's URI"
1153    </t>
1154  </list>
1155</t>
1156</section>
1157
1158<section title="Since draft-ietf-httpbis-p7-auth-10" anchor="changes.since.10">
1159<t>
1160  None yet.
1161</t>
1162</section>
1163
1164<section title="Since draft-ietf-httpbis-p7-auth-11" anchor="changes.since.11">
1165<t>
1166  Closed issues:
1167  <list style="symbols"> 
1168    <t>
1169      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/130"/>:
1170      "introduction to part 7 is work-in-progress"
1171    </t>
1172    <t>
1173      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/195"/>:
1174      "auth-param syntax"
1175    </t>
1176    <t>
1177      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/237"/>:
1178      "absorbing the auth framework from 2617"
1179    </t>
1180  </list>
1181</t>
1182<t>
1183  Partly resolved issues:
1184  <list style="symbols"> 
1185    <t>
1186      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/141"/>:
1187      "should we have an auth scheme registry"
1188    </t>
1189  </list>
1190</t>
1191</section>
1192
1193<section title="Since draft-ietf-httpbis-p7-auth-12" anchor="changes.since.12">
1194<t>
1195  None yet.
1196</t>
1197</section>
1198
1199</section>
1200
1201</back>
1202</rfc>
Note: See TracBrowser for help on using the repository browser.