Ignore:
Timestamp:
25/05/14 13:57:58 (6 years ago)
Author:
julian.reschke@…
Message:

editorial fixes (#553)

Location:
draft-ietf-httpbis/latest
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/auth48/p7-auth.unpg.txt

    r2678 r2692  
    66Obsoletes: 2616 (if approved)                            J. Reschke, Ed.
    77Updates: 2617 (if approved)                                   greenbytes
    8 Intended status: Standards Track                            May 16, 2014
    9 Expires: November 17, 2014
     8Intended status: Standards Track                            May 25, 2014
     9Expires: November 26, 2014
    1010
    1111
     
    4848   material or to cite them other than as "work in progress."
    4949
    50    This Internet-Draft will expire on November 17, 2014.
    51 
    52 
    53 
    54 
    55 Fielding & Reschke      Expires November 17, 2014               [Page 1]
     50   This Internet-Draft will expire on November 26, 2014.
     51
     52
     53
     54
     55Fielding & Reschke      Expires November 26, 2014               [Page 1]
    5656
    5757
     
    110110
    111111
    112 Fielding & Reschke      Expires November 17, 2014               [Page 2]
     112Fielding & Reschke      Expires November 26, 2014               [Page 2]
    113113
    114114
     
    167167
    168168
    169 Fielding & Reschke      Expires November 17, 2014               [Page 3]
     169Fielding & Reschke      Expires November 26, 2014               [Page 3]
    170170
    171171
     
    217217   insensitive token as a means to identify the authentication scheme,
    218218   followed by additional information necessary for achieving
    219    authentication via that scheme.  The latter can either be a comma-
     219   authentication via that scheme.  The latter can be either a comma-
    220220   separated list of parameters or a single sequence of characters
    221221   capable of holding base64-encoded information.
     
    224224
    225225
    226 Fielding & Reschke      Expires November 17, 2014               [Page 4]
     226Fielding & Reschke      Expires November 26, 2014               [Page 4]
    227227
    228228
     
    281281
    282282
    283 Fielding & Reschke      Expires November 17, 2014               [Page 5]
     283Fielding & Reschke      Expires November 26, 2014               [Page 5]
    284284
    285285
     
    309309   least one (possibly new) challenge applicable to the proxy.
    310310
    311    A server that receives valid credentials which are not adequate to
     311   A server that receives valid credentials that are not adequate to
    312312   gain access ought to respond with the 403 (Forbidden) status code
    313313   (Section 6.5.3 of [RFC7231]).
     
    332332   spaces, each with its own authentication scheme and/or authorization
    333333   database.  The realm value is a string, generally assigned by the
    334    origin server, which can have additional semantics specific to the
     334   origin server, that can have additional semantics specific to the
    335335   authentication scheme.  Note that a response can have multiple
    336    challenges with the same auth-scheme but different realms.
    337 
    338 
    339 
    340 Fielding & Reschke      Expires November 17, 2014               [Page 6]
     336   challenges with the same auth-scheme but with different realms.
     337
     338
     339
     340Fielding & Reschke      Expires November 26, 2014               [Page 6]
    341341
    342342
     
    380380
    381381   The 407 (Proxy Authentication Required) status code is similar to 401
    382    (Unauthorized), but indicates that the client needs to authenticate
    383    itself in order to use a proxy.  The proxy MUST send a Proxy-
    384    Authenticate header field (Section 4.3) containing a challenge
     382   (Unauthorized), but it indicates that the client needs to
     383   authenticate itself in order to use a proxy.  The proxy MUST send a
     384   Proxy-Authenticate header field (Section 4.3) containing a challenge
    385385   applicable to that proxy for the target resource.  The client MAY
    386386   repeat the request with a new or replaced Proxy-Authorization header
     
    395395
    396396
    397 Fielding & Reschke      Expires November 17, 2014               [Page 7]
     397Fielding & Reschke      Expires November 26, 2014               [Page 7]
    398398
    399399
     
    452452
    453453
    454 Fielding & Reschke      Expires November 17, 2014               [Page 8]
     454Fielding & Reschke      Expires November 26, 2014               [Page 8]
    455455
    456456
     
    509509
    510510
    511 Fielding & Reschke      Expires November 17, 2014               [Page 9]
     511Fielding & Reschke      Expires November 26, 2014               [Page 9]
    512512
    513513
     
    5265265.1.  Authentication Scheme Registry
    527527
    528    The HTTP Authentication Scheme Registry defines the namespace for the
    529    authentication schemes in challenges and credentials.  It will be
    530    created and maintained at (the suggested URI)
    531    <http://www.iana.org/assignments/http-authschemes>.
     528   The "Hypertext Transfer Protocol (HTTP) Authentication Scheme
     529   Registry" defines the namespace for the authentication schemes in
     530   challenges and credentials.  It will has been created and is now
     531   maintained at <http://www.iana.org/assignments/http-authschemes>.
    532532
    5335335.1.1.  Procedure
     
    559559
    560560   o  The authentication parameter "realm" is reserved for defining
    561       Protection Spaces as defined in Section 2.2.  New schemes MUST NOT
    562       use it in a way incompatible with that definition.
    563 
    564 
    565 
    566 
    567 
    568 Fielding & Reschke      Expires November 17, 2014              [Page 10]
     561      protection spaces as described in Section 2.2.  New schemes MUST
     562      NOT use it in a way incompatible with that definition.
     563
     564
     565
     566
     567
     568Fielding & Reschke      Expires November 26, 2014              [Page 10]
    569569
    570570
     
    574574   o  The "token68" notation was introduced for compatibility with
    575575      existing authentication schemes and can only be used once per
    576       challenge or credential.  New schemes thus ought to use the "auth-
    577       param" syntax instead, because otherwise future extensions will be
     576      challenge or credential.  Thus, new schemes ought to use the auth-
     577      param syntax instead, because otherwise future extensions will be
    578578      impossible.
    579579
    580580   o  The parsing of challenges and credentials is defined by this
    581       specification, and cannot be modified by new authentication
     581      specification and cannot be modified by new authentication
    582582      schemes.  When the auth-param syntax is used, all parameters ought
    583583      to support both token and quoted-string syntax, and syntactical
     
    593593   o  Definitions of new schemes ought to define the treatment of
    594594      unknown extension parameters.  In general, a "must-ignore" rule is
    595       preferable over "must-understand", because otherwise it will be
    596       hard to introduce new parameters in the presence of legacy
     595      preferable to a "must-understand" rule, because otherwise it will
     596      be hard to introduce new parameters in the presence of legacy
    597597      recipients.  Furthermore, it's good to describe the policy for
    598       defining new parameters (such as "update the specification", or
     598      defining new parameters (such as "update the specification" or
    599599      "use this registry").
    600600
     
    604604
    605605   o  The credentials carried in an Authorization header field are
    606       specific to the User Agent, and therefore have the same effect on
     606      specific to the user agent and, therefore, have the same effect on
    607607      HTTP caches as the "private" Cache-Control response directive
    608       (Section 5.2.2.6 of [RFC7234]), within the scope of the request
    609       they appear in.
     608      (Section 5.2.2.6 of [RFC7234]), within the scope of the request in
     609      which they appear.
    610610
    611611      Therefore, new authentication schemes that choose not to carry
     
    623623
    624624
    625 Fielding & Reschke      Expires November 17, 2014              [Page 11]
     625Fielding & Reschke      Expires November 26, 2014              [Page 11]
    626626
    627627
     
    680680
    681681
    682 Fielding & Reschke      Expires November 17, 2014              [Page 12]
     682Fielding & Reschke      Expires November 26, 2014              [Page 12]
    683683
    684684
     
    737737
    738738
    739 Fielding & Reschke      Expires November 17, 2014              [Page 13]
     739Fielding & Reschke      Expires November 26, 2014              [Page 13]
    740740
    741741
     
    794794
    795795
    796 Fielding & Reschke      Expires November 17, 2014              [Page 14]
     796Fielding & Reschke      Expires November 26, 2014              [Page 14]
    797797
    798798
     
    851851
    852852
    853 Fielding & Reschke      Expires November 17, 2014              [Page 15]
     853Fielding & Reschke      Expires November 26, 2014              [Page 15]
    854854
    855855
     
    908908
    909909
    910 Fielding & Reschke      Expires November 17, 2014              [Page 16]
     910Fielding & Reschke      Expires November 26, 2014              [Page 16]
    911911
    912912
     
    965965
    966966
    967 Fielding & Reschke      Expires November 17, 2014              [Page 17]
     967Fielding & Reschke      Expires November 26, 2014              [Page 17]
    968968
    969969
     
    10221022
    10231023
    1024 Fielding & Reschke      Expires November 17, 2014              [Page 18]
    1025 
    1026 
     1024Fielding & Reschke      Expires November 26, 2014              [Page 18]
     1025
     1026
  • draft-ietf-httpbis/latest/auth48/rfc7235.abdiff.txt

    r2678 r2692  
    77 Obsoletes: 2616 (if approved)                            J. Reschke, Ed.
    88 Updates: 2617 (if approved)                                   greenbytes
    9  Intended status: Standards Track                            May 16, 2014
    10  Expires: November 17, 2014
     9 Intended status: Standards Track                            May 25, 2014
     10 Expires: November 26, 2014
    1111
    1212NEW:
     
    9191OLD:
    9292
    93     This Internet-Draft will expire on November 17, 2014.
     93    This Internet-Draft will expire on November 26, 2014.
    9494
    9595NEW:
     
    196196
    197197
    198 Section 2.1., paragraph 1:
    199 OLD:
    200 
    201     HTTP provides a simple challenge-response authentication framework
    202     that can be used by a server to challenge a client request and by a
    203     client to provide authentication information.  It uses a case-
    204     insensitive token as a means to identify the authentication scheme,
    205     followed by additional information necessary for achieving
    206     authentication via that scheme.  The latter can either be a comma-
    207     separated list of parameters or a single sequence of characters
    208     capable of holding base64-encoded information.
    209 
    210 NEW:
    211 
    212     HTTP provides a simple challenge-response authentication framework
    213     that can be used by a server to challenge a client request and by a
    214     client to provide authentication information.  It uses a case-
    215     insensitive token as a means to identify the authentication scheme,
    216     followed by additional information necessary for achieving
    217     authentication via that scheme.  The latter can be either a comma-
    218     separated list of parameters or a single sequence of characters
    219     capable of holding base64-encoded information.
    220 
    221 
    222 Section 2.1., paragraph 17:
    223 OLD:
    224 
    225     A server that receives valid credentials which are not adequate to
    226     gain access ought to respond with the 403 (Forbidden) status code
    227     (Section 6.5.3 of [RFC7231]).
    228 
    229 NEW:
    230 
    231     A server that receives valid credentials that are not adequate to
    232     gain access ought to respond with the 403 (Forbidden) status code
    233     (Section 6.5.3 of [RFC7231]).
    234 
    235 
    236 Section 5.5, paragraph 0:
    237 OLD:
    238 
    239     A protection space is defined by the canonical root URI (the scheme
    240     and authority components of the effective request URI; see Section
    241     5.5 of [RFC7230]) of the server being accessed, in combination with
    242     the realm value if present.  These realms allow the protected
    243     resources on a server to be partitioned into a set of protection
    244     spaces, each with its own authentication scheme and/or authorization
    245     database.  The realm value is a string, generally assigned by the
    246     origin server, which can have additional semantics specific to the
    247     authentication scheme.  Note that a response can have multiple
    248     challenges with the same auth-scheme but different realms.
    249 
    250 NEW:
    251 
    252     A protection space is defined by the canonical root URI (the scheme
    253     and authority components of the effective request URI; see Section
    254     5.5 of [RFC7230]) of the server being accessed, in combination with
    255     the realm value if present.  These realms allow the protected
    256     resources on a server to be partitioned into a set of protection
    257     spaces, each with its own authentication scheme and/or authorization
    258     database.  The realm value is a string, generally assigned by the
    259     origin server, that can have additional semantics specific to the
    260     authentication scheme.  Note that a response can have multiple
    261     challenges with the same auth-scheme but with different realms.
    262 
    263 
    264 Section 3.2., paragraph 1:
    265 OLD:
    266 
    267     The 407 (Proxy Authentication Required) status code is similar to 401
    268     (Unauthorized), but indicates that the client needs to authenticate
    269     itself in order to use a proxy.  The proxy MUST send a Proxy-
    270     Authenticate header field (Section 4.3) containing a challenge
    271     applicable to that proxy for the target resource.  The client MAY
    272     repeat the request with a new or replaced Proxy-Authorization header
    273     field (Section 4.4).
    274 
    275 NEW:
    276 
    277     The 407 (Proxy Authentication Required) status code is similar to 401
    278     (Unauthorized), but it indicates that the client needs to
    279     authenticate itself in order to use a proxy.  The proxy MUST send a
    280     Proxy-Authenticate header field (Section 4.3) containing a challenge
    281     applicable to that proxy for the target resource.  The client MAY
    282     repeat the request with a new or replaced Proxy-Authorization header
    283     field (Section 4.4).
    284 
    285 
    286198Section 5.1., paragraph 1:
    287199OLD:
    288200
    289     The HTTP Authentication Scheme Registry defines the namespace for the
    290     authentication schemes in challenges and credentials.  It will be
    291     created and maintained at (the suggested URI)
    292     <http://www.iana.org/assignments/http-authschemes>.
     201    The "Hypertext Transfer Protocol (HTTP) Authentication Scheme
     202    Registry" defines the namespace for the authentication schemes in
     203    challenges and credentials.  It will has been created and is now
     204    maintained at <http://www.iana.org/assignments/http-authschemes>.
    293205
    294206NEW:
     
    298210    registry has been created and is now maintained at
    299211    <http://www.iana.org/assignments/http-authschemes>.
    300 
    301 
    302 Section 5.1.2., paragraph 3:
    303 OLD:
    304 
    305     o  The authentication parameter "realm" is reserved for defining
    306        Protection Spaces as defined in Section 2.2.  New schemes MUST NOT
    307        use it in a way incompatible with that definition.
    308 
    309 NEW:
    310 
    311     o  The authentication parameter "realm" is reserved for defining
    312        protection spaces as described in Section 2.2.  New schemes MUST
    313        NOT use it in a way incompatible with that definition.
    314 
    315 
    316 Section 5.1.2., paragraph 4:
    317 OLD:
    318 
    319     o  The "token68" notation was introduced for compatibility with
    320        existing authentication schemes and can only be used once per
    321        challenge or credential.  New schemes thus ought to use the "auth-
    322        param" syntax instead, because otherwise future extensions will be
    323        impossible.
    324 
    325 NEW:
    326 
    327     o  The "token68" notation was introduced for compatibility with
    328        existing authentication schemes and can only be used once per
    329        challenge or credential.  Thus, new schemes ought to use the auth-
    330        param syntax instead, because otherwise future extensions will be
    331        impossible.
    332 
    333 
    334 Section 5.1.2., paragraph 5:
    335 OLD:
    336 
    337     o  The parsing of challenges and credentials is defined by this
    338        specification, and cannot be modified by new authentication
    339        schemes.  When the auth-param syntax is used, all parameters ought
    340        to support both token and quoted-string syntax, and syntactical
    341        constraints ought to be defined on the field value after parsing
    342        (i.e., quoted-string processing).  This is necessary so that
    343        recipients can use a generic parser that applies to all
    344        authentication schemes.
    345 
    346 NEW:
    347 
    348     o  The parsing of challenges and credentials is defined by this
    349        specification and cannot be modified by new authentication
    350        schemes.  When the auth-param syntax is used, all parameters ought
    351        to support both token and quoted-string syntax, and syntactical
    352        constraints ought to be defined on the field value after parsing
    353        (i.e., quoted-string processing).  This is necessary so that
    354        recipients can use a generic parser that applies to all
    355        authentication schemes.
    356 
    357 
    358 Section 5.1.2., paragraph 7:
    359 OLD:
    360 
    361     o  Definitions of new schemes ought to define the treatment of
    362        unknown extension parameters.  In general, a "must-ignore" rule is
    363        preferable over "must-understand", because otherwise it will be
    364        hard to introduce new parameters in the presence of legacy
    365        recipients.  Furthermore, it's good to describe the policy for
    366        defining new parameters (such as "update the specification", or
    367        "use this registry").
    368 
    369 NEW:
    370 
    371     o  Definitions of new schemes ought to define the treatment of
    372        unknown extension parameters.  In general, a "must-ignore" rule is
    373        preferable to a "must-understand" rule, because otherwise it will
    374        be hard to introduce new parameters in the presence of legacy
    375        recipients.  Furthermore, it's good to describe the policy for
    376        defining new parameters (such as "update the specification" or
    377        "use this registry").
    378 
    379 
    380 Section 5.1.2., paragraph 9:
    381 OLD:
    382 
    383     o  The credentials carried in an Authorization header field are
    384        specific to the User Agent, and therefore have the same effect on
    385        HTTP caches as the "private" Cache-Control response directive
    386        (Section 5.2.2.6 of [RFC7234]), within the scope of the request
    387        they appear in.
    388 
    389 NEW:
    390 
    391     o  The credentials carried in an Authorization header field are
    392        specific to the user agent and, therefore, have the same effect on
    393        HTTP caches as the "private" Cache-Control response directive
    394        (Section 5.2.2.6 of [RFC7234]), within the scope of the request in
    395        which they appear.
    396212
    397213
  • draft-ietf-httpbis/latest/auth48/rfc7235.diff.html

    r2678 r2692  
    4343      <tr><td class="lineno" valign="top"></td><td class="lblock">Obsoletes: 2616 <span class="delete">(if approved)</span>                            J. Reschke, Ed.</td><td> </td><td class="rblock">Obsoletes: 2616                                          J. Reschke, Ed.</td><td class="lineno" valign="top"></td></tr>
    4444      <tr><td class="lineno" valign="top"></td><td class="lblock">Updates: 2617 <span class="delete">(if approved)</span>                                   greenbytes</td><td> </td><td class="rblock">Updates: 2617                                                 greenbytes</td><td class="lineno" valign="top"></td></tr>
    45       <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">Intended status:</span> Standards Track                            May <span class="delete">16, 2014</span></td><td> </td><td class="rblock"><span class="insert">Category:</span> Standards Track                                       May 2014</td><td class="lineno" valign="top"></td></tr>
    46       <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">Expires: November 17,</span> 2014</td><td> </td><td class="rblock"><span class="insert">ISSN: 2070-1721</span></td><td class="lineno" valign="top"></td></tr>
     45      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">Intended status:</span> Standards Track                            May <span class="delete">25, 2014</span></td><td> </td><td class="rblock"><span class="insert">Category:</span> Standards Track                                       May 2014</td><td class="lineno" valign="top"></td></tr>
     46      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">Expires: November 26,</span> 2014</td><td> </td><td class="rblock"><span class="insert">ISSN: 2070-1721</span></td><td class="lineno" valign="top"></td></tr>
    4747      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    4848      <tr><td class="lineno" valign="top"></td><td class="left">         Hypertext Transfer Protocol (HTTP/1.1): Authentication</td><td> </td><td class="right">         Hypertext Transfer Protocol (HTTP/1.1): Authentication</td><td class="lineno" valign="top"></td></tr>
     
    9090      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    9191      <tr><td><a name="diff0006" /></td></tr>
    92       <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">This Internet-Draft will expire</span> on <span class="delete">November 17, 2014.</span></td><td> </td><td class="rblock">   <span class="insert">Information about the current status of this document, any errata,</span></td><td class="lineno" valign="top"></td></tr>
     92      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">This Internet-Draft will expire</span> on <span class="delete">November 26, 2014.</span></td><td> </td><td class="rblock">   <span class="insert">Information about the current status of this document, any errata,</span></td><td class="lineno" valign="top"></td></tr>
    9393      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   and how to provide feedback</span> on <span class="insert">it may be obtained at</span></td><td class="lineno" valign="top"></td></tr>
    9494      <tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">   http://www.rfc-editor.org/info/rfc7235.</span></td><td class="lineno" valign="top"></td></tr>
     
    171171      <tr><td class="lineno" valign="top"></td><td class="left">   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this</td><td> </td><td class="right">   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this</td><td class="lineno" valign="top"></td></tr>
    172172      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    173       <tr bgcolor="gray" ><td></td><th><a name="part-l3" /><small>skipping to change at</small><em> page 4, line 49</em></th><th> </th><th><a name="part-r3" /><small>skipping to change at</small><em> page 3, line 49</em></th><td></td></tr>
    174       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    175       <tr><td class="lineno" valign="top"></td><td class="left">2.  Access Authentication Framework</td><td> </td><td class="right">2.  Access Authentication Framework</td><td class="lineno" valign="top"></td></tr>
    176       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    177       <tr><td class="lineno" valign="top"></td><td class="left">2.1.  Challenge and Response</td><td> </td><td class="right">2.1.  Challenge and Response</td><td class="lineno" valign="top"></td></tr>
    178       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    179       <tr><td class="lineno" valign="top"></td><td class="left">   HTTP provides a simple challenge-response authentication framework</td><td> </td><td class="right">   HTTP provides a simple challenge-response authentication framework</td><td class="lineno" valign="top"></td></tr>
    180       <tr><td class="lineno" valign="top"></td><td class="left">   that can be used by a server to challenge a client request and by a</td><td> </td><td class="right">   that can be used by a server to challenge a client request and by a</td><td class="lineno" valign="top"></td></tr>
    181       <tr><td class="lineno" valign="top"></td><td class="left">   client to provide authentication information.  It uses a case-</td><td> </td><td class="right">   client to provide authentication information.  It uses a case-</td><td class="lineno" valign="top"></td></tr>
    182       <tr><td class="lineno" valign="top"></td><td class="left">   insensitive token as a means to identify the authentication scheme,</td><td> </td><td class="right">   insensitive token as a means to identify the authentication scheme,</td><td class="lineno" valign="top"></td></tr>
    183       <tr><td class="lineno" valign="top"></td><td class="left">   followed by additional information necessary for achieving</td><td> </td><td class="right">   followed by additional information necessary for achieving</td><td class="lineno" valign="top"></td></tr>
    184       <tr><td><a name="diff0009" /></td></tr>
    185       <tr><td class="lineno" valign="top"></td><td class="lblock">   authentication via that scheme.  The latter can <span class="delete">either be</span> a comma-</td><td> </td><td class="rblock">   authentication via that scheme.  The latter can <span class="insert">be either</span> a comma-</td><td class="lineno" valign="top"></td></tr>
    186       <tr><td class="lineno" valign="top"></td><td class="left">   separated list of parameters or a single sequence of characters</td><td> </td><td class="right">   separated list of parameters or a single sequence of characters</td><td class="lineno" valign="top"></td></tr>
    187       <tr><td class="lineno" valign="top"></td><td class="left">   capable of holding base64-encoded information.</td><td> </td><td class="right">   capable of holding base64-encoded information.</td><td class="lineno" valign="top"></td></tr>
    188       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    189       <tr><td class="lineno" valign="top"></td><td class="left">   Authentication parameters are name=value pairs, where the name token</td><td> </td><td class="right">   Authentication parameters are name=value pairs, where the name token</td><td class="lineno" valign="top"></td></tr>
    190       <tr><td class="lineno" valign="top"></td><td class="left">   is matched case-insensitively, and each parameter name MUST only</td><td> </td><td class="right">   is matched case-insensitively, and each parameter name MUST only</td><td class="lineno" valign="top"></td></tr>
    191       <tr><td class="lineno" valign="top"></td><td class="left">   occur once per challenge.</td><td> </td><td class="right">   occur once per challenge.</td><td class="lineno" valign="top"></td></tr>
    192       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    193       <tr><td class="lineno" valign="top"></td><td class="left">     auth-scheme    = token</td><td> </td><td class="right">     auth-scheme    = token</td><td class="lineno" valign="top"></td></tr>
    194       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    195       <tr><td class="lineno" valign="top"></td><td class="left">     auth-param     = token BWS "=" BWS ( token / quoted-string )</td><td> </td><td class="right">     auth-param     = token BWS "=" BWS ( token / quoted-string )</td><td class="lineno" valign="top"></td></tr>
    196       <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    197       <tr bgcolor="gray" ><td></td><th><a name="part-l4" /><small>skipping to change at</small><em> page 6, line 26</em></th><th> </th><th><a name="part-r4" /><small>skipping to change at</small><em> page 5, line 26</em></th><td></td></tr>
    198       <tr><td class="lineno" valign="top"></td><td class="left">   (Unauthorized) response that contains a WWW-Authenticate header field</td><td> </td><td class="right">   (Unauthorized) response that contains a WWW-Authenticate header field</td><td class="lineno" valign="top"></td></tr>
    199       <tr><td class="lineno" valign="top"></td><td class="left">   with at least one (possibly new) challenge applicable to the</td><td> </td><td class="right">   with at least one (possibly new) challenge applicable to the</td><td class="lineno" valign="top"></td></tr>
    200       <tr><td class="lineno" valign="top"></td><td class="left">   requested resource.</td><td> </td><td class="right">   requested resource.</td><td class="lineno" valign="top"></td></tr>
    201       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    202       <tr><td class="lineno" valign="top"></td><td class="left">   Likewise, upon receipt of a request that omits proxy credentials or</td><td> </td><td class="right">   Likewise, upon receipt of a request that omits proxy credentials or</td><td class="lineno" valign="top"></td></tr>
    203       <tr><td class="lineno" valign="top"></td><td class="left">   contains invalid or partial proxy credentials, a proxy that requires</td><td> </td><td class="right">   contains invalid or partial proxy credentials, a proxy that requires</td><td class="lineno" valign="top"></td></tr>
    204       <tr><td class="lineno" valign="top"></td><td class="left">   authentication SHOULD generate a 407 (Proxy Authentication Required)</td><td> </td><td class="right">   authentication SHOULD generate a 407 (Proxy Authentication Required)</td><td class="lineno" valign="top"></td></tr>
    205       <tr><td class="lineno" valign="top"></td><td class="left">   response that contains a Proxy-Authenticate header field with at</td><td> </td><td class="right">   response that contains a Proxy-Authenticate header field with at</td><td class="lineno" valign="top"></td></tr>
    206       <tr><td class="lineno" valign="top"></td><td class="left">   least one (possibly new) challenge applicable to the proxy.</td><td> </td><td class="right">   least one (possibly new) challenge applicable to the proxy.</td><td class="lineno" valign="top"></td></tr>
    207       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    208       <tr><td><a name="diff0010" /></td></tr>
    209       <tr><td class="lineno" valign="top"></td><td class="lblock">   A server that receives valid credentials <span class="delete">which</span> are not adequate to</td><td> </td><td class="rblock">   A server that receives valid credentials <span class="insert">that</span> are not adequate to</td><td class="lineno" valign="top"></td></tr>
    210       <tr><td class="lineno" valign="top"></td><td class="left">   gain access ought to respond with the 403 (Forbidden) status code</td><td> </td><td class="right">   gain access ought to respond with the 403 (Forbidden) status code</td><td class="lineno" valign="top"></td></tr>
    211       <tr><td class="lineno" valign="top"></td><td class="left">   (Section 6.5.3 of [RFC7231]).</td><td> </td><td class="right">   (Section 6.5.3 of [RFC7231]).</td><td class="lineno" valign="top"></td></tr>
    212       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    213       <tr><td class="lineno" valign="top"></td><td class="left">   HTTP does not restrict applications to this simple challenge-response</td><td> </td><td class="right">   HTTP does not restrict applications to this simple challenge-response</td><td class="lineno" valign="top"></td></tr>
    214       <tr><td class="lineno" valign="top"></td><td class="left">   framework for access authentication.  Additional mechanisms can be</td><td> </td><td class="right">   framework for access authentication.  Additional mechanisms can be</td><td class="lineno" valign="top"></td></tr>
    215       <tr><td class="lineno" valign="top"></td><td class="left">   used, such as authentication at the transport level or via message</td><td> </td><td class="right">   used, such as authentication at the transport level or via message</td><td class="lineno" valign="top"></td></tr>
    216       <tr><td class="lineno" valign="top"></td><td class="left">   encapsulation, and with additional header fields specifying</td><td> </td><td class="right">   encapsulation, and with additional header fields specifying</td><td class="lineno" valign="top"></td></tr>
    217       <tr><td class="lineno" valign="top"></td><td class="left">   authentication information.  However, such additional mechanisms are</td><td> </td><td class="right">   authentication information.  However, such additional mechanisms are</td><td class="lineno" valign="top"></td></tr>
    218       <tr><td class="lineno" valign="top"></td><td class="left">   not defined by this specification.</td><td> </td><td class="right">   not defined by this specification.</td><td class="lineno" valign="top"></td></tr>
    219       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    220       <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    221       <tr bgcolor="gray" ><td></td><th><a name="part-l5" /><small>skipping to change at</small><em> page 6, line 49</em></th><th> </th><th><a name="part-r5" /><small>skipping to change at</small><em> page 5, line 49</em></th><td></td></tr>
    222       <tr><td class="lineno" valign="top"></td><td class="left">   The "realm" authentication parameter is reserved for use by</td><td> </td><td class="right">   The "realm" authentication parameter is reserved for use by</td><td class="lineno" valign="top"></td></tr>
    223       <tr><td class="lineno" valign="top"></td><td class="left">   authentication schemes that wish to indicate a scope of protection.</td><td> </td><td class="right">   authentication schemes that wish to indicate a scope of protection.</td><td class="lineno" valign="top"></td></tr>
    224       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    225       <tr><td class="lineno" valign="top"></td><td class="left">   A protection space is defined by the canonical root URI (the scheme</td><td> </td><td class="right">   A protection space is defined by the canonical root URI (the scheme</td><td class="lineno" valign="top"></td></tr>
    226       <tr><td class="lineno" valign="top"></td><td class="left">   and authority components of the effective request URI; see Section</td><td> </td><td class="right">   and authority components of the effective request URI; see Section</td><td class="lineno" valign="top"></td></tr>
    227       <tr><td class="lineno" valign="top"></td><td class="left">   5.5 of [RFC7230]) of the server being accessed, in combination with</td><td> </td><td class="right">   5.5 of [RFC7230]) of the server being accessed, in combination with</td><td class="lineno" valign="top"></td></tr>
    228       <tr><td class="lineno" valign="top"></td><td class="left">   the realm value if present.  These realms allow the protected</td><td> </td><td class="right">   the realm value if present.  These realms allow the protected</td><td class="lineno" valign="top"></td></tr>
    229       <tr><td class="lineno" valign="top"></td><td class="left">   resources on a server to be partitioned into a set of protection</td><td> </td><td class="right">   resources on a server to be partitioned into a set of protection</td><td class="lineno" valign="top"></td></tr>
    230       <tr><td class="lineno" valign="top"></td><td class="left">   spaces, each with its own authentication scheme and/or authorization</td><td> </td><td class="right">   spaces, each with its own authentication scheme and/or authorization</td><td class="lineno" valign="top"></td></tr>
    231       <tr><td class="lineno" valign="top"></td><td class="left">   database.  The realm value is a string, generally assigned by the</td><td> </td><td class="right">   database.  The realm value is a string, generally assigned by the</td><td class="lineno" valign="top"></td></tr>
    232       <tr><td><a name="diff0011" /></td></tr>
    233       <tr><td class="lineno" valign="top"></td><td class="lblock">   origin server, <span class="delete">which</span> can have additional semantics specific to the</td><td> </td><td class="rblock">   origin server, <span class="insert">that</span> can have additional semantics specific to the</td><td class="lineno" valign="top"></td></tr>
    234       <tr><td class="lineno" valign="top"></td><td class="left">   authentication scheme.  Note that a response can have multiple</td><td> </td><td class="right">   authentication scheme.  Note that a response can have multiple</td><td class="lineno" valign="top"></td></tr>
    235       <tr><td><a name="diff0012" /></td></tr>
    236       <tr><td class="lineno" valign="top"></td><td class="lblock">   challenges with the same auth-scheme but different realms.</td><td> </td><td class="rblock">   challenges with the same auth-scheme but <span class="insert">with </span>different realms.</td><td class="lineno" valign="top"></td></tr>
    237       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    238       <tr><td class="lineno" valign="top"></td><td class="left">   The protection space determines the domain over which credentials can</td><td> </td><td class="right">   The protection space determines the domain over which credentials can</td><td class="lineno" valign="top"></td></tr>
    239       <tr><td class="lineno" valign="top"></td><td class="left">   be automatically applied.  If a prior request has been authorized,</td><td> </td><td class="right">   be automatically applied.  If a prior request has been authorized,</td><td class="lineno" valign="top"></td></tr>
    240       <tr><td class="lineno" valign="top"></td><td class="left">   the user agent MAY reuse the same credentials for all other requests</td><td> </td><td class="right">   the user agent MAY reuse the same credentials for all other requests</td><td class="lineno" valign="top"></td></tr>
    241       <tr><td class="lineno" valign="top"></td><td class="left">   within that protection space for a period of time determined by the</td><td> </td><td class="right">   within that protection space for a period of time determined by the</td><td class="lineno" valign="top"></td></tr>
    242       <tr><td class="lineno" valign="top"></td><td class="left">   authentication scheme, parameters, and/or user preferences (such as a</td><td> </td><td class="right">   authentication scheme, parameters, and/or user preferences (such as a</td><td class="lineno" valign="top"></td></tr>
    243       <tr><td class="lineno" valign="top"></td><td class="left">   configurable inactivity timeout).  Unless specifically allowed by the</td><td> </td><td class="right">   configurable inactivity timeout).  Unless specifically allowed by the</td><td class="lineno" valign="top"></td></tr>
    244       <tr><td class="lineno" valign="top"></td><td class="left">   authentication scheme, a single protection space cannot extend</td><td> </td><td class="right">   authentication scheme, a single protection space cannot extend</td><td class="lineno" valign="top"></td></tr>
    245       <tr><td class="lineno" valign="top"></td><td class="left">   outside the scope of its server.</td><td> </td><td class="right">   outside the scope of its server.</td><td class="lineno" valign="top"></td></tr>
    246       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    247       <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    248       <tr bgcolor="gray" ><td></td><th><a name="part-l6" /><small>skipping to change at</small><em> page 7, line 41</em></th><th> </th><th><a name="part-r6" /><small>skipping to change at</small><em> page 6, line 41</em></th><td></td></tr>
    249       <tr><td class="lineno" valign="top"></td><td class="left">   credentials.  The user agent MAY repeat the request with a new or</td><td> </td><td class="right">   credentials.  The user agent MAY repeat the request with a new or</td><td class="lineno" valign="top"></td></tr>
    250       <tr><td class="lineno" valign="top"></td><td class="left">   replaced Authorization header field (Section 4.2).  If the 401</td><td> </td><td class="right">   replaced Authorization header field (Section 4.2).  If the 401</td><td class="lineno" valign="top"></td></tr>
    251       <tr><td class="lineno" valign="top"></td><td class="left">   response contains the same challenge as the prior response, and the</td><td> </td><td class="right">   response contains the same challenge as the prior response, and the</td><td class="lineno" valign="top"></td></tr>
    252       <tr><td class="lineno" valign="top"></td><td class="left">   user agent has already attempted authentication at least once, then</td><td> </td><td class="right">   user agent has already attempted authentication at least once, then</td><td class="lineno" valign="top"></td></tr>
    253       <tr><td class="lineno" valign="top"></td><td class="left">   the user agent SHOULD present the enclosed representation to the</td><td> </td><td class="right">   the user agent SHOULD present the enclosed representation to the</td><td class="lineno" valign="top"></td></tr>
    254       <tr><td class="lineno" valign="top"></td><td class="left">   user, since it usually contains relevant diagnostic information.</td><td> </td><td class="right">   user, since it usually contains relevant diagnostic information.</td><td class="lineno" valign="top"></td></tr>
    255       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    256       <tr><td class="lineno" valign="top"></td><td class="left">3.2.  407 Proxy Authentication Required</td><td> </td><td class="right">3.2.  407 Proxy Authentication Required</td><td class="lineno" valign="top"></td></tr>
    257       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    258       <tr><td class="lineno" valign="top"></td><td class="left">   The 407 (Proxy Authentication Required) status code is similar to 401</td><td> </td><td class="right">   The 407 (Proxy Authentication Required) status code is similar to 401</td><td class="lineno" valign="top"></td></tr>
    259       <tr><td><a name="diff0013" /></td></tr>
    260       <tr><td class="lineno" valign="top"></td><td class="lblock">   (Unauthorized), but indicates that the client needs to authenticate</td><td> </td><td class="rblock">   (Unauthorized), but <span class="insert">it</span> indicates that the client needs to</td><td class="lineno" valign="top"></td></tr>
    261       <tr><td class="lineno" valign="top"></td><td class="lblock">   itself in order to use a proxy.  The proxy MUST send a <span class="delete">Proxy-</span></td><td> </td><td class="rblock">   authenticate itself in order to use a proxy.  The proxy MUST send a</td><td class="lineno" valign="top"></td></tr>
    262       <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   Authenticate</span> header field (Section 4.3) containing a challenge</td><td> </td><td class="rblock">   <span class="insert">Proxy-Authenticate</span> header field (Section 4.3) containing a challenge</td><td class="lineno" valign="top"></td></tr>
    263       <tr><td class="lineno" valign="top"></td><td class="left">   applicable to that proxy for the target resource.  The client MAY</td><td> </td><td class="right">   applicable to that proxy for the target resource.  The client MAY</td><td class="lineno" valign="top"></td></tr>
    264       <tr><td class="lineno" valign="top"></td><td class="left">   repeat the request with a new or replaced Proxy-Authorization header</td><td> </td><td class="right">   repeat the request with a new or replaced Proxy-Authorization header</td><td class="lineno" valign="top"></td></tr>
    265       <tr><td class="lineno" valign="top"></td><td class="left">   field (Section 4.4).</td><td> </td><td class="right">   field (Section 4.4).</td><td class="lineno" valign="top"></td></tr>
    266       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    267       <tr><td class="lineno" valign="top"></td><td class="left">4.  Header Field Definitions</td><td> </td><td class="right">4.  Header Field Definitions</td><td class="lineno" valign="top"></td></tr>
    268       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    269       <tr><td class="lineno" valign="top"></td><td class="left">   This section defines the syntax and semantics of header fields</td><td> </td><td class="right">   This section defines the syntax and semantics of header fields</td><td class="lineno" valign="top"></td></tr>
    270       <tr><td class="lineno" valign="top"></td><td class="left">   related to the HTTP authentication framework.</td><td> </td><td class="right">   related to the HTTP authentication framework.</td><td class="lineno" valign="top"></td></tr>
    271       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    272       <tr><td class="lineno" valign="top"></td><td class="left">4.1.  WWW-Authenticate</td><td> </td><td class="right">4.1.  WWW-Authenticate</td><td class="lineno" valign="top"></td></tr>
    273       <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    274       <tr bgcolor="gray" ><td></td><th><a name="part-l7" /><small>skipping to change at</small><em> page 10, line 15</em></th><th> </th><th><a name="part-r7" /><small>skipping to change at</small><em> page 9, line 15</em></th><td></td></tr>
     173      <tr bgcolor="gray" ><td></td><th><a name="part-l3" /><small>skipping to change at</small><em> page 10, line 15</em></th><th> </th><th><a name="part-r3" /><small>skipping to change at</small><em> page 9, line 15</em></th><td></td></tr>
    275174      <tr><td class="lineno" valign="top"></td><td class="left">   the Proxy-Authorization header field is consumed by the first inbound</td><td> </td><td class="right">   the Proxy-Authorization header field is consumed by the first inbound</td><td class="lineno" valign="top"></td></tr>
    276175      <tr><td class="lineno" valign="top"></td><td class="left">   proxy that was expecting to receive credentials.  A proxy MAY relay</td><td> </td><td class="right">   proxy that was expecting to receive credentials.  A proxy MAY relay</td><td class="lineno" valign="top"></td></tr>
     
    283182      <tr><td class="lineno" valign="top"></td><td class="left">5.1.  Authentication Scheme Registry</td><td> </td><td class="right">5.1.  Authentication Scheme Registry</td><td class="lineno" valign="top"></td></tr>
    284183      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    285       <tr><td><a name="diff0014" /></td></tr>
    286       <tr><td class="lineno" valign="top"></td><td class="lblock">   The <span class="delete">HTTP</span> Authentication <span class="delete">Scheme Registry</span> defines the <span class="delete">namespace</span> for the</td><td> </td><td class="rblock">   The <span class="insert">"HTTP</span> Authentication <span class="insert">Schemes" registry</span> defines the <span class="insert">name space</span> for</td><td class="lineno" valign="top"></td></tr>
    287       <tr><td class="lineno" valign="top"></td><td class="lblock">   authentication schemes in challenges and credentials.  <span class="delete">It will be</span></td><td> </td><td class="rblock">   the authentication schemes in challenges and credentials.  <span class="insert">The</span></td><td class="lineno" valign="top"></td></tr>
    288       <tr><td class="lineno" valign="top"></td><td class="lblock">   created and maintained at <span class="delete">(the suggested URI)</span></td><td> </td><td class="rblock"><span class="insert">   registry has been</span> created and <span class="insert">is now</span> maintained at</td><td class="lineno" valign="top"></td></tr>
    289       <tr><td class="lineno" valign="top"></td><td class="left">   &lt;http://www.iana.org/assignments/http-authschemes&gt;.</td><td> </td><td class="right">   &lt;http://www.iana.org/assignments/http-authschemes&gt;.</td><td class="lineno" valign="top"></td></tr>
     184      <tr><td><a name="diff0009" /></td></tr>
     185      <tr><td class="lineno" valign="top"></td><td class="lblock">   The <span class="delete">"Hypertext Transfer Protocol (HTTP)</span> Authentication <span class="delete">Scheme</span></td><td> </td><td class="rblock">   The <span class="insert">"HTTP</span> Authentication <span class="insert">Schemes" registry</span> defines the <span class="insert">name space</span> for</td><td class="lineno" valign="top"></td></tr>
     186      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   Registry"</span> defines the <span class="delete">namespace</span> for the authentication schemes in</td><td> </td><td class="rblock">   the authentication schemes in challenges and credentials.  <span class="insert">The</span></td><td class="lineno" valign="top"></td></tr>
     187      <tr><td class="lineno" valign="top"></td><td class="lblock">   challenges and credentials.  <span class="delete">It will</span> has been created and is now</td><td> </td><td class="rblock"><span class="insert">   registry</span> has been created and is now maintained at</td><td class="lineno" valign="top"></td></tr>
     188      <tr><td class="lineno" valign="top"></td><td class="lblock">   maintained at &lt;http://www.iana.org/assignments/http-authschemes&gt;.</td><td> </td><td class="rblock">   &lt;http://www.iana.org/assignments/http-authschemes&gt;.</td><td class="lineno" valign="top"></td></tr>
    290189      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    291190      <tr><td class="lineno" valign="top"></td><td class="left">5.1.1.  Procedure</td><td> </td><td class="right">5.1.1.  Procedure</td><td class="lineno" valign="top"></td></tr>
     
    299198      <tr><td class="lineno" valign="top"></td><td class="left">   o  Notes (optional)</td><td> </td><td class="right">   o  Notes (optional)</td><td class="lineno" valign="top"></td></tr>
    300199      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    301       <tr><td><a name="diff0015" /></td></tr>
     200      <tr><td><a name="diff0010" /></td></tr>
    302201      <tr><td class="lineno" valign="top"></td><td class="lblock">   Values to be added to this namespace require IETF Review (see</td><td> </td><td class="rblock">   Values to be added to this name<span class="insert"> </span>space require IETF Review (see</td><td class="lineno" valign="top"></td></tr>
    303202      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC5226], Section 4.1).</td><td> </td><td class="right">   [RFC5226], Section 4.1).</td><td class="lineno" valign="top"></td></tr>
     
    311210      <tr><td class="lineno" valign="top"></td><td class="left">      information necessary to authenticate a request MUST be provided</td><td> </td><td class="right">      information necessary to authenticate a request MUST be provided</td><td class="lineno" valign="top"></td></tr>
    312211      <tr><td class="lineno" valign="top"></td><td class="left">      in the request, rather than be dependent on the server remembering</td><td> </td><td class="right">      in the request, rather than be dependent on the server remembering</td><td class="lineno" valign="top"></td></tr>
    313       <tr><td class="lineno" valign="top"></td><td class="left">      prior requests.  Authentication based on, or bound to, the</td><td> </td><td class="right">      prior requests.  Authentication based on, or bound to, the</td><td class="lineno" valign="top"></td></tr>
    314       <tr><td class="lineno" valign="top"></td><td class="left">      underlying connection is outside the scope of this specification</td><td> </td><td class="right">      underlying connection is outside the scope of this specification</td><td class="lineno" valign="top"></td></tr>
    315       <tr><td class="lineno" valign="top"></td><td class="left">      and inherently flawed unless steps are taken to ensure that the</td><td> </td><td class="right">      and inherently flawed unless steps are taken to ensure that the</td><td class="lineno" valign="top"></td></tr>
    316       <tr><td class="lineno" valign="top"></td><td class="left">      connection cannot be used by any party other than the</td><td> </td><td class="right">      connection cannot be used by any party other than the</td><td class="lineno" valign="top"></td></tr>
    317       <tr><td class="lineno" valign="top"></td><td class="left">      authenticated user (see Section 2.3 of [RFC7230]).</td><td> </td><td class="right">      authenticated user (see Section 2.3 of [RFC7230]).</td><td class="lineno" valign="top"></td></tr>
    318       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    319       <tr><td class="lineno" valign="top"></td><td class="left">   o  The authentication parameter "realm" is reserved for defining</td><td> </td><td class="right">   o  The authentication parameter "realm" is reserved for defining</td><td class="lineno" valign="top"></td></tr>
    320       <tr><td><a name="diff0016" /></td></tr>
    321       <tr><td class="lineno" valign="top"></td><td class="lblock">      <span class="delete">Protection Spaces</span> as <span class="delete">defined</span> in Section 2.2.  New schemes MUST NOT</td><td> </td><td class="rblock">      <span class="insert">protection spaces</span> as <span class="insert">described</span> in Section 2.2.  New schemes MUST</td><td class="lineno" valign="top"></td></tr>
    322       <tr><td class="lineno" valign="top"></td><td class="lblock">      use it in a way incompatible with that definition.</td><td> </td><td class="rblock">      NOT use it in a way incompatible with that definition.</td><td class="lineno" valign="top"></td></tr>
    323       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    324       <tr><td class="lineno" valign="top"></td><td class="left">   o  The "token68" notation was introduced for compatibility with</td><td> </td><td class="right">   o  The "token68" notation was introduced for compatibility with</td><td class="lineno" valign="top"></td></tr>
    325       <tr><td class="lineno" valign="top"></td><td class="left">      existing authentication schemes and can only be used once per</td><td> </td><td class="right">      existing authentication schemes and can only be used once per</td><td class="lineno" valign="top"></td></tr>
    326       <tr><td><a name="diff0017" /></td></tr>
    327       <tr><td class="lineno" valign="top"></td><td class="lblock">      challenge or credential.  <span class="delete">New</span> schemes <span class="delete">thus</span> ought to use the <span class="delete">"auth-</span></td><td> </td><td class="rblock">      challenge or credential.  <span class="insert">Thus, new</span> schemes ought to use the <span class="insert">auth-</span></td><td class="lineno" valign="top"></td></tr>
    328       <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">      param"</span> syntax instead, because otherwise future extensions will be</td><td> </td><td class="rblock"><span class="insert">      param</span> syntax instead, because otherwise future extensions will be</td><td class="lineno" valign="top"></td></tr>
    329       <tr><td class="lineno" valign="top"></td><td class="left">      impossible.</td><td> </td><td class="right">      impossible.</td><td class="lineno" valign="top"></td></tr>
    330       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    331       <tr><td class="lineno" valign="top"></td><td class="left">   o  The parsing of challenges and credentials is defined by this</td><td> </td><td class="right">   o  The parsing of challenges and credentials is defined by this</td><td class="lineno" valign="top"></td></tr>
    332       <tr><td><a name="diff0018" /></td></tr>
    333       <tr><td class="lineno" valign="top"></td><td class="lblock">      specification<span class="delete">,</span> and cannot be modified by new authentication</td><td> </td><td class="rblock">      specification and cannot be modified by new authentication</td><td class="lineno" valign="top"></td></tr>
    334       <tr><td class="lineno" valign="top"></td><td class="left">      schemes.  When the auth-param syntax is used, all parameters ought</td><td> </td><td class="right">      schemes.  When the auth-param syntax is used, all parameters ought</td><td class="lineno" valign="top"></td></tr>
    335       <tr><td class="lineno" valign="top"></td><td class="left">      to support both token and quoted-string syntax, and syntactical</td><td> </td><td class="right">      to support both token and quoted-string syntax, and syntactical</td><td class="lineno" valign="top"></td></tr>
    336       <tr><td class="lineno" valign="top"></td><td class="left">      constraints ought to be defined on the field value after parsing</td><td> </td><td class="right">      constraints ought to be defined on the field value after parsing</td><td class="lineno" valign="top"></td></tr>
    337       <tr><td class="lineno" valign="top"></td><td class="left">      (i.e., quoted-string processing).  This is necessary so that</td><td> </td><td class="right">      (i.e., quoted-string processing).  This is necessary so that</td><td class="lineno" valign="top"></td></tr>
    338       <tr><td class="lineno" valign="top"></td><td class="left">      recipients can use a generic parser that applies to all</td><td> </td><td class="right">      recipients can use a generic parser that applies to all</td><td class="lineno" valign="top"></td></tr>
    339       <tr><td class="lineno" valign="top"></td><td class="left">      authentication schemes.</td><td> </td><td class="right">      authentication schemes.</td><td class="lineno" valign="top"></td></tr>
    340       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    341       <tr><td class="lineno" valign="top"></td><td class="left">      Note: The fact that the value syntax for the "realm" parameter is</td><td> </td><td class="right">      Note: The fact that the value syntax for the "realm" parameter is</td><td class="lineno" valign="top"></td></tr>
    342       <tr><td class="lineno" valign="top"></td><td class="left">      restricted to quoted-string was a bad design choice not to be</td><td> </td><td class="right">      restricted to quoted-string was a bad design choice not to be</td><td class="lineno" valign="top"></td></tr>
    343       <tr><td class="lineno" valign="top"></td><td class="left">      repeated for new parameters.</td><td> </td><td class="right">      repeated for new parameters.</td><td class="lineno" valign="top"></td></tr>
    344       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    345       <tr><td class="lineno" valign="top"></td><td class="left">   o  Definitions of new schemes ought to define the treatment of</td><td> </td><td class="right">   o  Definitions of new schemes ought to define the treatment of</td><td class="lineno" valign="top"></td></tr>
    346       <tr><td class="lineno" valign="top"></td><td class="left">      unknown extension parameters.  In general, a "must-ignore" rule is</td><td> </td><td class="right">      unknown extension parameters.  In general, a "must-ignore" rule is</td><td class="lineno" valign="top"></td></tr>
    347       <tr><td><a name="diff0019" /></td></tr>
    348       <tr><td class="lineno" valign="top"></td><td class="lblock">      preferable <span class="delete">over "must-understand",</span> because otherwise it will be</td><td> </td><td class="rblock">      preferable <span class="insert">to a "must-understand" rule,</span> because otherwise it will</td><td class="lineno" valign="top"></td></tr>
    349       <tr><td class="lineno" valign="top"></td><td class="lblock">      hard to introduce new parameters in the presence of legacy</td><td> </td><td class="rblock">      be hard to introduce new parameters in the presence of legacy</td><td class="lineno" valign="top"></td></tr>
    350       <tr><td class="lineno" valign="top"></td><td class="left">      recipients.  Furthermore, it's good to describe the policy for</td><td> </td><td class="right">      recipients.  Furthermore, it's good to describe the policy for</td><td class="lineno" valign="top"></td></tr>
    351       <tr><td><a name="diff0020" /></td></tr>
    352       <tr><td class="lineno" valign="top"></td><td class="lblock">      defining new parameters (such as "update the specification"<span class="delete">,</span> or</td><td> </td><td class="rblock">      defining new parameters (such as "update the specification" or</td><td class="lineno" valign="top"></td></tr>
    353       <tr><td class="lineno" valign="top"></td><td class="left">      "use this registry").</td><td> </td><td class="right">      "use this registry").</td><td class="lineno" valign="top"></td></tr>
    354       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    355       <tr><td class="lineno" valign="top"></td><td class="left">   o  Authentication schemes need to document whether they are usable in</td><td> </td><td class="right">   o  Authentication schemes need to document whether they are usable in</td><td class="lineno" valign="top"></td></tr>
    356       <tr><td class="lineno" valign="top"></td><td class="left">      origin-server authentication (i.e., using WWW-Authenticate),</td><td> </td><td class="right">      origin-server authentication (i.e., using WWW-Authenticate),</td><td class="lineno" valign="top"></td></tr>
    357       <tr><td class="lineno" valign="top"></td><td class="left">      and/or proxy authentication (i.e., using Proxy-Authenticate).</td><td> </td><td class="right">      and/or proxy authentication (i.e., using Proxy-Authenticate).</td><td class="lineno" valign="top"></td></tr>
    358       <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    359       <tr><td class="lineno" valign="top"></td><td class="left">   o  The credentials carried in an Authorization header field are</td><td> </td><td class="right">   o  The credentials carried in an Authorization header field are</td><td class="lineno" valign="top"></td></tr>
    360       <tr><td><a name="diff0021" /></td></tr>
    361       <tr><td class="lineno" valign="top"></td><td class="lblock">      specific to the <span class="delete">User Agent, and therefore</span> have the same effect on</td><td> </td><td class="rblock">      specific to the <span class="insert">user agent and, therefore,</span> have the same effect on</td><td class="lineno" valign="top"></td></tr>
    362       <tr><td class="lineno" valign="top"></td><td class="left">      HTTP caches as the "private" Cache-Control response directive</td><td> </td><td class="right">      HTTP caches as the "private" Cache-Control response directive</td><td class="lineno" valign="top"></td></tr>
    363       <tr><td><a name="diff0022" /></td></tr>
    364       <tr><td class="lineno" valign="top"></td><td class="lblock">      (Section 5.2.2.6 of [RFC7234]), within the scope of the request</td><td> </td><td class="rblock">      (Section 5.2.2.6 of [RFC7234]), within the scope of the request <span class="insert">in</span></td><td class="lineno" valign="top"></td></tr>
    365       <tr><td class="lineno" valign="top"></td><td class="lblock">      they <span class="delete">appear in.</span></td><td> </td><td class="rblock"><span class="insert">      which</span> they <span class="insert">appear.</span></td><td class="lineno" valign="top"></td></tr>
     212      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
     213      <tr bgcolor="gray" ><td></td><th><a name="part-l4" /><small>skipping to change at</small><em> page 12, line 7</em></th><th> </th><th><a name="part-r4" /><small>skipping to change at</small><em> page 11, line 7</em></th><td></td></tr>
    366214      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    367215      <tr><td class="lineno" valign="top"></td><td class="left">      Therefore, new authentication schemes that choose not to carry</td><td> </td><td class="right">      Therefore, new authentication schemes that choose not to carry</td><td class="lineno" valign="top"></td></tr>
     
    374222      <tr><td class="lineno" valign="top"></td><td class="left">5.2.  Status Code Registration</td><td> </td><td class="right">5.2.  Status Code Registration</td><td class="lineno" valign="top"></td></tr>
    375223      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    376       <tr><td><a name="diff0023" /></td></tr>
     224      <tr><td><a name="diff0011" /></td></tr>
    377225      <tr><td class="lineno" valign="top"></td><td class="lblock">   The <span class="delete">"Hypertext Transfer Protocol (HTTP)</span> Status Code <span class="delete">Registry"</span> located</td><td> </td><td class="rblock">   The <span class="insert">HTTP</span> Status Code <span class="insert">Registry</span> located at</td><td class="lineno" valign="top"></td></tr>
    378226      <tr><td class="lineno" valign="top"></td><td class="lblock">   at &lt;http://www.iana.org/assignments/http-status-codes&gt; <span class="delete">has been</span></td><td> </td><td class="rblock">   &lt;http://www.iana.org/assignments/http-status-codes&gt; <span class="insert">shall be</span> updated</td><td class="lineno" valign="top"></td></tr>
     
    388236      <tr><td class="lineno" valign="top"></td><td class="left">5.3.  Header Field Registration</td><td> </td><td class="right">5.3.  Header Field Registration</td><td class="lineno" valign="top"></td></tr>
    389237      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    390       <tr><td><a name="diff0024" /></td></tr>
     238      <tr><td><a name="diff0012" /></td></tr>
    391239      <tr><td class="lineno" valign="top"></td><td class="lblock">   HTTP header fields are registered within the <span class="delete">"Message Headers"</span></td><td> </td><td class="rblock">   HTTP header fields are registered within the <span class="insert">Message Header Field</span></td><td class="lineno" valign="top"></td></tr>
    392240      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   registry</span> maintained at</td><td> </td><td class="rblock"><span class="insert">   Registry</span> maintained at</td><td class="lineno" valign="top"></td></tr>
    393241      <tr><td class="lineno" valign="top"></td><td class="lblock">   <span class="delete">&lt;http://www.iana.org/assignments/message-headers/&gt;.</span></td><td> </td><td class="rblock">   <span class="insert">&lt;http://www.iana.org/assignments/message-headers&gt;.</span></td><td class="lineno" valign="top"></td></tr>
    394242      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    395       <tr><td><a name="diff0025" /></td></tr>
     243      <tr><td><a name="diff0013" /></td></tr>
    396244      <tr><td class="lineno" valign="top"></td><td class="lblock">   This document defines the following HTTP header fields, so <span class="delete">the</span></td><td> </td><td class="rblock">   This document defines the following HTTP header fields, so <span class="insert">their</span></td><td class="lineno" valign="top"></td></tr>
    397245      <tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">   "Permanent Message Header Field Names"</span> registry <span class="delete">has</span> been updated</td><td> </td><td class="rblock"><span class="insert">   associated</span> registry <span class="insert">entries have</span> been updated <span class="insert">according to the</span></td><td class="lineno" valign="top"></td></tr>
     
    408256      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    409257      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    410       <tr bgcolor="gray" ><td></td><th><a name="part-l8" /><small>skipping to change at</small><em> page 13, line 23</em></th><th> </th><th><a name="part-r8" /><small>skipping to change at</small><em> page 12, line 23</em></th><td></td></tr>
     258      <tr bgcolor="gray" ><td></td><th><a name="part-l5" /><small>skipping to change at</small><em> page 13, line 23</em></th><th> </th><th><a name="part-r5" /><small>skipping to change at</small><em> page 12, line 23</em></th><td></td></tr>
    411259      <tr><td class="lineno" valign="top"></td><td class="left">   authentication scheme defines how the credentials are encoded prior</td><td> </td><td class="right">   authentication scheme defines how the credentials are encoded prior</td><td class="lineno" valign="top"></td></tr>
    412260      <tr><td class="lineno" valign="top"></td><td class="left">   to transmission.  While this provides flexibility for the development</td><td> </td><td class="right">   to transmission.  While this provides flexibility for the development</td><td class="lineno" valign="top"></td></tr>
     
    419267      <tr><td class="lineno" valign="top"></td><td class="left">   credentials remains confidential.</td><td> </td><td class="right">   credentials remains confidential.</td><td class="lineno" valign="top"></td></tr>
    420268      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    421       <tr><td><a name="diff0026" /></td></tr>
     269      <tr><td><a name="diff0014" /></td></tr>
    422270      <tr><td class="lineno" valign="top"></td><td class="lblock">   HTTP depends on the security properties of the underlying transport<span class="delete">-</span></td><td> </td><td class="rblock">   HTTP depends on the security properties of the underlying transport</td><td class="lineno" valign="top"></td></tr>
    423271      <tr><td class="lineno" valign="top"></td><td class="left">   or session-level connection to provide confidential transmission of</td><td> </td><td class="right">   or session-level connection to provide confidential transmission of</td><td class="lineno" valign="top"></td></tr>
     
    432280      <tr><td class="lineno" valign="top"></td><td class="left">6.2.  Authentication Credentials and Idle Clients</td><td> </td><td class="right">6.2.  Authentication Credentials and Idle Clients</td><td class="lineno" valign="top"></td></tr>
    433281      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    434       <tr bgcolor="gray" ><td></td><th><a name="part-l9" /><small>skipping to change at</small><em> page 15, line 5</em></th><th> </th><th><a name="part-r9" /><small>skipping to change at</small><em> page 14, line 5</em></th><td></td></tr>
     282      <tr bgcolor="gray" ><td></td><th><a name="part-l6" /><small>skipping to change at</small><em> page 15, line 5</em></th><th> </th><th><a name="part-r6" /><small>skipping to change at</small><em> page 14, line 5</em></th><td></td></tr>
    435283      <tr><td class="lineno" valign="top"></td><td class="left">8.1.  Normative References</td><td> </td><td class="right">8.1.  Normative References</td><td class="lineno" valign="top"></td></tr>
    436284      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
     
    443291      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td> </td><td class="right">   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td class="lineno" valign="top"></td></tr>
    444292      <tr><td class="lineno" valign="top"></td><td class="left">              Protocol (HTTP/1.1): Message Syntax and Routing",</td><td> </td><td class="right">              Protocol (HTTP/1.1): Message Syntax and Routing",</td><td class="lineno" valign="top"></td></tr>
    445       <tr><td><a name="diff0027" /></td></tr>
     293      <tr><td><a name="diff0015" /></td></tr>
    446294      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">draft-ietf-httpbis-p1-messaging-latest (work in progress),</span></td><td> </td><td class="rblock">              <span class="insert">RFC 7230,</span> May 2014.</td><td class="lineno" valign="top"></td></tr>
    447295      <tr><td class="lineno" valign="top"></td><td class="lblock">              May 2014.</td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
    448296      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    449297      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td> </td><td class="right">   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer</td><td class="lineno" valign="top"></td></tr>
    450       <tr><td><a name="diff0028" /></td></tr>
     298      <tr><td><a name="diff0016" /></td></tr>
    451299      <tr><td class="lineno" valign="top"></td><td class="lblock">              Protocol (HTTP/1.1): Semantics and Content",</td><td> </td><td class="rblock">              Protocol (HTTP/1.1): Semantics and Content", <span class="insert">RFC 7231,</span></td><td class="lineno" valign="top"></td></tr>
    452300      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">draft-ietf-httpbis-p2-semantics-latest (work in progress),</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
     
    455303      <tr><td class="lineno" valign="top"></td><td class="left">   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,</td><td> </td><td class="right">   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,</td><td class="lineno" valign="top"></td></tr>
    456304      <tr><td class="lineno" valign="top"></td><td class="left">              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",</td><td> </td><td class="right">              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",</td><td class="lineno" valign="top"></td></tr>
    457       <tr><td><a name="diff0029" /></td></tr>
     305      <tr><td><a name="diff0017" /></td></tr>
    458306      <tr><td class="lineno" valign="top"></td><td class="lblock">              <span class="delete">draft-ietf-httpbis-p6-cache-latest (work in progress),</span></td><td> </td><td class="rblock">              <span class="insert">RFC 7234,</span> May 2014.</td><td class="lineno" valign="top"></td></tr>
    459307      <tr><td class="lineno" valign="top"></td><td class="lblock">              May 2014.</td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
     
    469317      <tr><td class="lineno" valign="top"></td><td class="left">              Security Project (OWASP) 2.0.1, July 2005,</td><td> </td><td class="right">              Security Project (OWASP) 2.0.1, July 2005,</td><td class="lineno" valign="top"></td></tr>
    470318      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
    471       <tr bgcolor="gray" ><td></td><th><a name="part-l10" /><small>skipping to change at</small><em> page 17, line 35</em></th><th> </th><th><a name="part-r10" /><small>skipping to change at</small><em> page 16, line 35</em></th><td></td></tr>
     319      <tr bgcolor="gray" ><td></td><th><a name="part-l7" /><small>skipping to change at</small><em> page 17, line 35</em></th><th> </th><th><a name="part-r7" /><small>skipping to change at</small><em> page 16, line 35</em></th><td></td></tr>
    472320      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    473321      <tr><td class="lineno" valign="top"></td><td class="left">   quoted-string = &lt;quoted-string, see [RFC7230], Section 3.2.6&gt;</td><td> </td><td class="right">   quoted-string = &lt;quoted-string, see [RFC7230], Section 3.2.6&gt;</td><td class="lineno" valign="top"></td></tr>
     
    480328      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    481329      <tr><td class="lineno" valign="top"></td><td class="left">   4</td><td> </td><td class="right">   4</td><td class="lineno" valign="top"></td></tr>
    482       <tr><td><a name="diff0030" /></td></tr>
     330      <tr><td><a name="diff0018" /></td></tr>
    483331      <tr><td class="lineno" valign="top"></td><td class="lblock">      401 Unauthorized (status code)  <span class="delete">7</span></td><td> </td><td class="rblock">      401 Unauthorized (status code)  <span class="insert">6</span></td><td class="lineno" valign="top"></td></tr>
    484332      <tr><td class="lineno" valign="top"></td><td class="lblock">      407 Proxy Authentication Required (status code)  <span class="delete">7</span></td><td> </td><td class="rblock">      407 Proxy Authentication Required (status code)  <span class="insert">6</span></td><td class="lineno" valign="top"></td></tr>
    485333      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    486334      <tr><td class="lineno" valign="top"></td><td class="left">   A</td><td> </td><td class="right">   A</td><td class="lineno" valign="top"></td></tr>
    487       <tr><td><a name="diff0031" /></td></tr>
     335      <tr><td><a name="diff0019" /></td></tr>
    488336      <tr><td class="lineno" valign="top"></td><td class="lblock">      Authorization header field  <span class="delete">8</span></td><td> </td><td class="rblock">      Authorization header field  <span class="insert">7</span></td><td class="lineno" valign="top"></td></tr>
    489337      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    490338      <tr><td class="lineno" valign="top"></td><td class="left">   C</td><td> </td><td class="right">   C</td><td class="lineno" valign="top"></td></tr>
    491       <tr><td><a name="diff0032" /></td></tr>
     339      <tr><td><a name="diff0020" /></td></tr>
    492340      <tr><td class="lineno" valign="top"></td><td class="lblock">      Canonical Root URI  <span class="delete">6</span></td><td> </td><td class="rblock">      Canonical Root URI  <span class="insert">5</span></td><td class="lineno" valign="top"></td></tr>
    493341      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    494342      <tr><td class="lineno" valign="top"></td><td class="left">   G</td><td> </td><td class="right">   G</td><td class="lineno" valign="top"></td></tr>
    495343      <tr><td class="lineno" valign="top"></td><td class="left">      Grammar</td><td> </td><td class="right">      Grammar</td><td class="lineno" valign="top"></td></tr>
    496       <tr><td><a name="diff0033" /></td></tr>
     344      <tr><td><a name="diff0021" /></td></tr>
    497345      <tr><td class="lineno" valign="top"></td><td class="lblock">         auth-param  <span class="delete">5</span></td><td> </td><td class="rblock">         auth-param  <span class="insert">4</span></td><td class="lineno" valign="top"></td></tr>
    498346      <tr><td class="lineno" valign="top"></td><td class="lblock">         auth-scheme  <span class="delete">5</span></td><td> </td><td class="rblock">         auth-scheme  <span class="insert">4</span></td><td class="lineno" valign="top"></td></tr>
     
    506354      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    507355      <tr><td class="lineno" valign="top"></td><td class="left">   P</td><td> </td><td class="right">   P</td><td class="lineno" valign="top"></td></tr>
    508       <tr><td><a name="diff0034" /></td></tr>
     356      <tr><td><a name="diff0022" /></td></tr>
    509357      <tr><td class="lineno" valign="top"></td><td class="lblock">      Protection Space  <span class="delete">6</span></td><td> </td><td class="rblock">      Protection Space  <span class="insert">5</span></td><td class="lineno" valign="top"></td></tr>
    510358      <tr><td class="lineno" valign="top"></td><td class="lblock">      Proxy-Authenticate header field  <span class="delete">9</span></td><td> </td><td class="rblock">      Proxy-Authenticate header field  <span class="insert">8</span></td><td class="lineno" valign="top"></td></tr>
     
    512360      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    513361      <tr><td class="lineno" valign="top"></td><td class="left">   R</td><td> </td><td class="right">   R</td><td class="lineno" valign="top"></td></tr>
    514       <tr><td><a name="diff0035" /></td></tr>
     362      <tr><td><a name="diff0023" /></td></tr>
    515363      <tr><td class="lineno" valign="top"></td><td class="lblock">      Realm  <span class="delete">6</span></td><td> </td><td class="rblock">      Realm  <span class="insert">5</span></td><td class="lineno" valign="top"></td></tr>
    516364      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
    517365      <tr><td class="lineno" valign="top"></td><td class="left">   W</td><td> </td><td class="right">   W</td><td class="lineno" valign="top"></td></tr>
    518       <tr><td><a name="diff0036" /></td></tr>
     366      <tr><td><a name="diff0024" /></td></tr>
    519367      <tr><td class="lineno" valign="top"></td><td class="lblock">      WWW-Authenticate header field  <span class="delete">8</span></td><td> </td><td class="rblock">      WWW-Authenticate header field  <span class="insert">7</span></td><td class="lineno" valign="top"></td></tr>
    520368      <tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
     
    530378
    531379     <tr><td></td><td class="left"></td><td> </td><td class="right"></td><td></td></tr>
    532      <tr bgcolor="gray"><th colspan="5" align="center"><a name="end">&nbsp;End of changes. 36 change blocks.&nbsp;</a></th></tr>
    533      <tr class="stats"><td></td><th><i>123 lines changed or deleted</i></th><th><i> </i></th><th><i>102 lines changed or added</i></th><td></td></tr>
     380     <tr bgcolor="gray"><th colspan="5" align="center"><a name="end">&nbsp;End of changes. 24 change blocks.&nbsp;</a></th></tr>
     381     <tr class="stats"><td></td><th><i>106 lines changed or deleted</i></th><th><i> </i></th><th><i>85 lines changed or added</i></th><td></td></tr>
    534382     <tr><td colspan="5" align="center" class="small"><br/>This html diff was produced by rfcdiff 1.38. The latest version is available from <a href="http://www.tools.ietf.org/tools/rfcdiff/" >http://tools.ietf.org/tools/rfcdiff/</a> </td></tr>
    535383   </table>
  • draft-ietf-httpbis/latest/p7-auth.html

    r2667 r2692  
    463463  }
    464464  @bottom-center {
    465        content: "Expires November 13, 2014";
     465       content: "Expires November 26, 2014";
    466466  }
    467467  @bottom-right {
     
    503503      <meta name="dct.creator" content="Reschke, J. F.">
    504504      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
    505       <meta name="dct.issued" scheme="ISO8601" content="2014-05-12">
     505      <meta name="dct.issued" scheme="ISO8601" content="2014-05-25">
    506506      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    507507      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.">
     
    531531            <tr>
    532532               <td class="left">Intended status: Standards Track</td>
    533                <td class="right">May 12, 2014</td>
     533               <td class="right">May 25, 2014</td>
    534534            </tr>
    535535            <tr>
    536                <td class="left">Expires: November 13, 2014</td>
     536               <td class="left">Expires: November 26, 2014</td>
    537537               <td class="right"></td>
    538538            </tr>
     
    561561            in progress”.
    562562         </p>
    563          <p>This Internet-Draft will expire on November 13, 2014.</p>
     563         <p>This Internet-Draft will expire on November 26, 2014.</p>
    564564      </div>
    565565      <div id="rfc.copyrightnotice">
     
    662662            <p id="rfc.section.2.1.p.1">HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request
    663663               and by a client to provide authentication information. It uses a case-insensitive token as a means to identify the authentication
    664                scheme, followed by additional information necessary for achieving authentication via that scheme. The latter can either be
     664               scheme, followed by additional information necessary for achieving authentication via that scheme. The latter can be either
    665665               a comma-separated list of parameters or a single sequence of characters capable of holding base64-encoded information.
    666666            </p>
     
    703703               that requires authentication <em class="bcp14">SHOULD</em> generate a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response that contains a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field with at least one (possibly new) challenge applicable to the proxy.
    704704            </p>
    705             <p id="rfc.section.2.1.p.15">A server that receives valid credentials which are not adequate to gain access ought to respond with the <a href="p2-semantics.html#status.403" class="smpl">403 (Forbidden)</a> status code (<a href="p2-semantics.html#status.403" title="403 Forbidden">Section 6.5.3</a> of <a href="#RFC7231" id="rfc.xref.RFC7231.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[RFC7231]</cite></a>).
     705            <p id="rfc.section.2.1.p.15">A server that receives valid credentials that are not adequate to gain access ought to respond with the <a href="p2-semantics.html#status.403" class="smpl">403 (Forbidden)</a> status code (<a href="p2-semantics.html#status.403" title="403 Forbidden">Section 6.5.3</a> of <a href="#RFC7231" id="rfc.xref.RFC7231.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[RFC7231]</cite></a>).
    706706            </p>
    707707            <p id="rfc.section.2.1.p.16">HTTP does not restrict applications to this simple challenge-response framework for access authentication. Additional mechanisms
     
    719719            <p id="rfc.section.2.2.p.2">A <dfn>protection space</dfn> is defined by the canonical root URI (the scheme and authority components of the effective request URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources
    720720               on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization
    721                database. The realm value is a string, generally assigned by the origin server, which can have additional semantics specific
    722                to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but different realms.
     721               database. The realm value is a string, generally assigned by the origin server, that can have additional semantics specific
     722               to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but with different
     723               realms.
    723724            </p>
    724725            <p id="rfc.section.2.2.p.3">The protection space determines the domain over which credentials can be automatically applied. If a prior request has been
     
    748749            <div id="rfc.iref.8"></div>
    749750            <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a href="#status.407">407 Proxy Authentication Required</a></h2>
    750             <p id="rfc.section.3.2.p.1">The <dfn>407 (Proxy Authentication Required)</dfn> status code is similar to <a href="#status.401" class="smpl">401 (Unauthorized)</a>, but indicates that the client needs to authenticate itself in order to use a proxy. The proxy <em class="bcp14">MUST</em> send a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section&nbsp;4.3</a>) containing a challenge applicable to that proxy for the target resource. The client <em class="bcp14">MAY</em> repeat the request with a new or replaced <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section&nbsp;4.4</a>).
     751            <p id="rfc.section.3.2.p.1">The <dfn>407 (Proxy Authentication Required)</dfn> status code is similar to <a href="#status.401" class="smpl">401 (Unauthorized)</a>, but it indicates that the client needs to authenticate itself in order to use a proxy. The proxy <em class="bcp14">MUST</em> send a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section&nbsp;4.3</a>) containing a challenge applicable to that proxy for the target resource. The client <em class="bcp14">MAY</em> repeat the request with a new or replaced <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section&nbsp;4.4</a>).
    751752            </p>
    752753         </div>
     
    832833         <div id="authentication.scheme.registry">
    833834            <h2 id="rfc.section.5.1"><a href="#rfc.section.5.1">5.1</a>&nbsp;<a href="#authentication.scheme.registry">Authentication Scheme Registry</a></h2>
    834             <p id="rfc.section.5.1.p.1">The HTTP Authentication Scheme Registry defines the namespace for the authentication schemes in challenges and credentials.
    835                It will be created and maintained at (the suggested URI) &lt;<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>&gt;.
     835            <p id="rfc.section.5.1.p.1">The "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" defines the namespace for the authentication schemes
     836               in challenges and credentials. It will has been created and is now maintained at &lt;<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>&gt;.
    836837            </p>
    837838            <div id="authentication.scheme.registry.procedure">
     
    861862                  </li>
    862863                  <li>
    863                      <p>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition.
     864                     <p>The authentication parameter "realm" is reserved for defining protection spaces as described in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition.
    864865                     </p>
    865866                  </li>
    866867                  <li>
    867868                     <p>The "token68" notation was introduced for compatibility with existing authentication schemes and can only be used once per
    868                         challenge or credential. New schemes thus ought to use the "auth-param" syntax instead, because otherwise future extensions
     869                        challenge or credential. Thus, new schemes ought to use the auth-param syntax instead, because otherwise future extensions
    869870                        will be impossible.
    870871                     </p>
    871872                  </li>
    872873                  <li>
    873                      <p>The parsing of challenges and credentials is defined by this specification, and cannot be modified by new authentication schemes.
     874                     <p>The parsing of challenges and credentials is defined by this specification and cannot be modified by new authentication schemes.
    874875                        When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints
    875876                        ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients
     
    882883                  <li>
    883884                     <p>Definitions of new schemes ought to define the treatment of unknown extension parameters. In general, a "must-ignore" rule
    884                         is preferable over "must-understand", because otherwise it will be hard to introduce new parameters in the presence of legacy
    885                         recipients. Furthermore, it's good to describe the policy for defining new parameters (such as "update the specification",
     885                        is preferable to a "must-understand" rule, because otherwise it will be hard to introduce new parameters in the presence of
     886                        legacy recipients. Furthermore, it's good to describe the policy for defining new parameters (such as "update the specification"
    886887                        or "use this registry").
    887888                     </p>
     
    892893                  </li>
    893894                  <li>
    894                      <p>The credentials carried in an <a href="#header.authorization" class="smpl">Authorization</a> header field are specific to the User Agent, and therefore have the same effect on HTTP caches as the "private" Cache-Control
    895                         response directive (<a href="p6-cache.html#cache-response-directive.private" title="private">Section 5.2.2.6</a> of <a href="#RFC7234" id="rfc.xref.RFC7234.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Caching">[RFC7234]</cite></a>), within the scope of the request they appear in.
     895                     <p>The credentials carried in an <a href="#header.authorization" class="smpl">Authorization</a> header field are specific to the user agent and, therefore, have the same effect on HTTP caches as the "private" Cache-Control
     896                        response directive (<a href="p6-cache.html#cache-response-directive.private" title="private">Section 5.2.2.6</a> of <a href="#RFC7234" id="rfc.xref.RFC7234.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Caching">[RFC7234]</cite></a>), within the scope of the request in which they appear.
    896897                     </p>
    897898                     <p>Therefore, new authentication schemes that choose not to carry credentials in the <a href="#header.authorization" class="smpl">Authorization</a> header field (e.g., using a newly defined header field) will need to explicitly disallow caching, by mandating the use of
  • draft-ietf-httpbis/latest/p7-auth.xml

    r2667 r2692  
    179179   token as a means to identify the authentication scheme, followed
    180180   by additional information necessary for achieving authentication via that
    181    scheme. The latter can either be a comma-separated list of parameters or a
     181   scheme. The latter can be either a comma-separated list of parameters or a
    182182   single sequence of characters capable of holding base64-encoded
    183183   information.
     
    271271</t>
    272272<t>
    273    A server that receives valid credentials which are not adequate to gain
     273   A server that receives valid credentials that are not adequate to gain
    274274   access ought to respond with the <x:ref>403 (Forbidden)</x:ref> status
    275275   code (&status.403;).
     
    300300   partitioned into a set of protection spaces, each with its own
    301301   authentication scheme and/or authorization database. The realm value
    302    is a string, generally assigned by the origin server, which can have
     302   is a string, generally assigned by the origin server, that can have
    303303   additional semantics specific to the authentication scheme. Note that a
    304304   response can have multiple challenges with the same auth-scheme but
    305    different realms.
     305   with different realms.
    306306</t>
    307307<t>
     
    355355<t>
    356356   The <x:dfn>407 (Proxy Authentication Required)</x:dfn> status code is
    357    similar to <x:ref>401 (Unauthorized)</x:ref>, but indicates that the client
     357   similar to <x:ref>401 (Unauthorized)</x:ref>, but it indicates that the client
    358358   needs to authenticate itself in order to use a proxy.
    359359   The proxy &MUST; send a <x:ref>Proxy-Authenticate</x:ref> header field
     
    516516<section title="Authentication Scheme Registry" anchor="authentication.scheme.registry">
    517517<t>
    518    The HTTP Authentication Scheme Registry defines the namespace for the
    519    authentication schemes in challenges and credentials. It will be created and
    520    maintained at (the suggested URI) <eref target="http://www.iana.org/assignments/http-authschemes"/>.
     518   The "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" defines the namespace for the
     519   authentication schemes in challenges and credentials. It will has been created
     520   and is now maintained at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
    521521</t>
    522522
     
    557557    <x:lt>
    558558    <t>
    559       The authentication parameter "realm" is reserved for defining Protection
    560       Spaces as defined in <xref target="protection.space"/>. New schemes
     559      The authentication parameter "realm" is reserved for defining protection
     560      spaces as described in <xref target="protection.space"/>. New schemes
    561561      &MUST-NOT; use it in a way incompatible with that definition.
    562562    </t>
     
    566566      The "token68" notation was introduced for compatibility with existing
    567567      authentication schemes and can only be used once per challenge or credential.
    568       New schemes thus ought to use the "auth-param" syntax instead, because
     568      Thus, new schemes ought to use the auth-param syntax instead, because
    569569      otherwise future extensions will be impossible.
    570570    </t>
     
    572572    <x:lt>
    573573    <t>
    574       The parsing of challenges and credentials is defined by this specification,
     574      The parsing of challenges and credentials is defined by this specification
    575575      and cannot be modified by new authentication schemes. When the auth-param
    576576      syntax is used, all parameters ought to support both token and
     
    590590      Definitions of new schemes ought to define the treatment of unknown
    591591      extension parameters. In general, a "must-ignore" rule is preferable
    592       over "must-understand", because otherwise it will be hard to introduce
     592      to a "must-understand" rule, because otherwise it will be hard to introduce
    593593      new parameters in the presence of legacy recipients. Furthermore,
    594594      it's good to describe the policy for defining new parameters (such
    595       as "update the specification", or "use this registry").
     595      as "update the specification" or "use this registry").
    596596    </t>
    597597    </x:lt>
     
    606606    <t>
    607607      The credentials carried in an <x:ref>Authorization</x:ref> header field are specific to
    608       the User Agent, and therefore have the same effect on HTTP caches as the
     608      the user agent and, therefore, have the same effect on HTTP caches as the
    609609      "private" Cache-Control response directive (&caching-rsd-private;),
    610       within the scope of the request they appear in.
     610      within the scope of the request in which they appear.
    611611    </t>
    612612    <t>
Note: See TracChangeset for help on using the changeset viewer.