Changeset 1356


Ignore:
Timestamp:
Jul 26, 2011, 9:00:04 AM (8 years ago)
Author:
julian.reschke@…
Message:

Considerations for new authentications schemes (see #257)

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r1354 r1356  
    545545               <li>2.1&nbsp;&nbsp;&nbsp;<a href="#challenge.and.response">Challenge and Response</a></li>
    546546               <li>2.2&nbsp;&nbsp;&nbsp;<a href="#protection.space">Protection Space (Realm)</a></li>
    547                <li>2.3&nbsp;&nbsp;&nbsp;<a href="#authentication.scheme.registry">Authentication Scheme Registry</a></li>
     547               <li>2.3&nbsp;&nbsp;&nbsp;<a href="#authentication.scheme.registry">Authentication Scheme Registry</a><ul>
     548                     <li>2.3.1&nbsp;&nbsp;&nbsp;<a href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></li>
     549                  </ul>
     550               </li>
    548551            </ul>
    549552         </li>
     
    707710      <p id="rfc.section.2.3.p.4">The registry itself is maintained at &lt;<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>&gt;.
    708711      </p>
     712      <h3 id="rfc.section.2.3.1"><a href="#rfc.section.2.3.1">2.3.1</a>&nbsp;<a id="considerations.for.new.authentication.schemes" href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></h3>
     713      <p id="rfc.section.2.3.1.p.1">There are certain aspects of the HTTP Authentication Framework that put constraints on how new authentication schemes can
     714         work:
     715      </p>
     716      <p id="rfc.section.2.3.1.p.2"> </p>
     717      <ul>
     718         <li>Authentication schemes need to be compatible with the inherent constraints of HTTP; for instance, that messages need to keep
     719            their semantics when inspected in isolation, thus an authentication scheme can not bind information to the TCP session over
     720            which the message was received (see <a href="p1-messaging.html#message-orientation-and-buffering" title="Message Orientation and Buffering">Section 2.2</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>).
     721         </li>
     722         <li>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition.
     723         </li>
     724         <li>Authentication schemes need to document whther they are usable in origin-server authentication (i.e., using WWW-Authenticate),
     725            and/or proxy authentication (i.e., using Proxy-Authenticate).
     726         </li>
     727      </ul>
    709728      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1>
    710729      <div id="rfc.iref.8"></div>
     
    752771      <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a>&nbsp;<a id="header.proxy-authenticate" href="#header.proxy-authenticate">Proxy-Authenticate</a></h2>
    753772      <p id="rfc.section.4.2.p.1">The "Proxy-Authenticate" header field consists of a challenge that indicates the authentication scheme and parameters applicable
    754          to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response.
     773         to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response.
    755774      </p>
    756775      <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.2"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
     
    776795      <h2 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a>&nbsp;<a id="header.www-authenticate" href="#header.www-authenticate">WWW-Authenticate</a></h2>
    777796      <p id="rfc.section.4.4.p.1">The "WWW-Authenticate" header field consists of at least one challenge that indicates the authentication scheme(s) and parameters
    778          applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages.
     797         applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages.
    779798      </p>
    780799      <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.4"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
     
    10891108         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/177">http://tools.ietf.org/wg/httpbis/trac/ticket/177</a>&gt;: "Realm required on challenges"
    10901109         </li>
     1110         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/257">http://tools.ietf.org/wg/httpbis/trac/ticket/257</a>&gt;: "Considerations for new authentications schemes"
     1111         </li>
    10911112      </ul>
    10921113      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
     
    11341155            </li>
    11351156            <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
    1136                   <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a>, <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">4.2</a>, <a href="#rfc.xref.Part1.8">4.4</a>, <a href="#Part1"><b>8.1</b></a><ul>
     1157                  <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a>, <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">2.3.1</a>, <a href="#rfc.xref.Part1.8">4.2</a>, <a href="#rfc.xref.Part1.9">4.4</a>, <a href="#Part1"><b>8.1</b></a><ul>
    11371158                        <li><em>Section 1.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a></li>
    11381159                        <li><em>Section 1.2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a></li>
    1139                         <li><em>Section 4.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">4.2</a>, <a href="#rfc.xref.Part1.8">4.4</a></li>
     1160                        <li><em>Section 2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.7">2.3.1</a></li>
     1161                        <li><em>Section 4.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.8">4.2</a>, <a href="#rfc.xref.Part1.9">4.4</a></li>
    11401162                     </ul>
    11411163                  </li>
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1354 r1356  
    2020  <!ENTITY basic-rules                  "<xref target='Part1' x:rel='#basic.rules' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    2121  <!ENTITY effective-request-uri        "<xref target='Part1' x:rel='#effective.request.uri' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     22  <!ENTITY msg-orient-and-buffering     "<xref target='Part1' x:rel='#message-orientation-and-buffering' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    2223  <!ENTITY end-to-end.and-hop-by-hop    "<xref target='Part1' x:rel='#end-to-end.and.hop-by-hop.header-fields' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    2324  <!ENTITY shared-and-non-shared-caches "<xref target='Part6' x:rel='#shared.and.non-shared.caches' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     
    441442  The registry itself is maintained at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
    442443</t>
     444
     445<section title="Considerations for New Authentication Schemes" anchor="considerations.for.new.authentication.schemes">
     446<t>
     447  There are certain aspects of the HTTP Authentication Framework that put
     448  constraints on how new authentication schemes can work:
     449</t>
     450<t>
     451  <list style="symbols">
     452    <t>
     453      Authentication schemes need to be compatible with the inherent
     454      constraints of HTTP; for instance, that messages need to keep their
     455      semantics when inspected in isolation, thus an authentication scheme
     456      can not bind information to the TCP session over which the message
     457      was received (see &msg-orient-and-buffering;).
     458    </t>
     459    <t>
     460      The authentication parameter "realm" is reserved for defining Protection
     461      Spaces as defined in <xref target="protection.space"/>. New schemes
     462      &MUST-NOT; use it in a way incompatible with that definition.
     463    </t>
     464    <t>
     465      Authentication schemes need to document whther they are usable in
     466      origin-server authentication (i.e., using WWW-Authenticate), and/or
     467      proxy authentication (i.e., using Proxy-Authenticate).
     468    </t>   
     469    <!-- note about Authorization header -->
     470  </list>
     471</t>
     472</section>
     473
    443474</section>
    444475
     
    12281259      "Realm required on challenges"
    12291260    </t>
     1261    <t>
     1262      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/257"/>:
     1263      "Considerations for new authentications schemes"
     1264    </t>
    12301265  </list>
    12311266</t>
Note: See TracChangeset for help on using the changeset viewer.