Context Navigation

← Previous Change
Next Change →

Changeset 2726 for draft-ietf-httpbis-security-properties/04

Timestamp:

14/06/14 11:20:37 (6 years ago)

Author:

julian.reschke@…

Message:

update to latest version of rfc2629.xslt, regen all HTML

File:

: 1 edited

draft-ietf-httpbis-security-properties/04/draft-ietf-httpbis-security-properties-04.html (modified) (23 diffs)

Legend:

: Unmodified
: Added
: Removed

draft-ietf-httpbis-security-properties/04/draft-ietf-httpbis-security-properties-04.html

-                      r788
+                      r2726
   PUBLIC "-//W3C//DTD HTML 4.01//EN">
 <html lang="en">
    <head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
+   <head profile="http://dublincore.org/documents/2008/08/04/dc-html/">
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
       <title>Security Requirements for HTTP</title><style type="text/css" title="Xml2Rfc (sans serif)">
 …
 body {
   color: black;
+  font-family: verdana, helvetica, arial, sans-serif;
+  font-size: 10pt;
+  font-family: cambria, helvetica, arial, sans-serif;
+  font-size: 11pt;
+  margin-right: 2em;
+}
 cite {
   font-style: normal;
+}
-dd {
-  margin-right: 2em;
+}
 dl {
   margin-left: 2em;
+}
 ul.empty {
   list-style-type: none;
 …
+}
 h1 {
   font-size: 14pt;
+  font-size: 130%;
   line-height: 21pt;
   page-break-after: avoid;
 …
   page-break-before: always;
+}
-h1 a {
-  color: #333333;
+}
 h2 {
   font-size: 12pt;
+  font-size: 120%;
   line-height: 15pt;
   page-break-after: avoid;
+}
 h3, h4, h5, h6 {
   font-size: 10pt;
+h3 {
+  font-size: 110%;
   page-break-after: avoid;
+}
+h2 a, h3 a, h4 a, h5 a, h6 a {
+h4, h5, h6 {
+  page-break-after: avoid;
+}
+h1 a, h2 a, h3 a, h4 a, h5 a, h6 a {
   color: black;
+}
 …
 li {
   margin-left: 2em;
-  margin-right: 2em;
+}
 ol {
   margin-left: 2em;
+  margin-right: 2em;
+}
+ol.la {
+  list-style-type: lower-alpha;
+}
+ol.ua {
+  list-style-type: upper-alpha;
+}
 ol p {
 …
 p {
   margin-left: 2em;
-  margin-right: 2em;
+}
 pre {
 …
   background-color: lightyellow;
   padding: .25em;
+  page-break-inside: avoid;
+}
 pre.text2 {
 …
   border-spacing: 1px;
   width: 95%;
   font-size: 10pt;
+  font-size: 11pt;
   color: white;
+}
 …
 td.topnowrap {
   vertical-align: top;
   white-space: nowrap;
+  white-space: nowrap;
+}
 table.header td {
 …
   display:table-header-group;
+}
 ul.toc {
+ul.toc, ul.toc ul {
   list-style: none;
   margin-left: 1.5em;
-  margin-right: 0em;
   padding-left: 0em;
+}
 li.tocline0 {
+ul.toc li {
   line-height: 150%;
   font-weight: bold;
+  margin-left: 0em;
+}
+ul.toc li li {
+  line-height: normal;
+  font-weight: normal;
   font-size: 10pt;
   margin-left: 0em;
+  margin-right: 0em;
+}
+li.tocline1 {
+  line-height: normal;
+  font-weight: normal;
+  font-size: 9pt;
+  margin-left: 0em;
+  margin-right: 0em;
+}
+li.tocline2 {
+}
+li.excluded {
   font-size: 0pt;
+}
 ul p {
   margin-left: 0em;
+}
+.title, .filename, h1, h2, h3, h4 {
+  font-family: candara, helvetica, arial, sans-serif;
+}
+samp, tt, code, pre {
+  font: consolas, monospace;
+}
 …
   font-weight: bold;
   text-align: center;
   font-size: 9pt;
+  font-size: 10pt;
+}
 .filename {
   color: #333333;
+  font-size: 75%;
   font-weight: bold;
-  font-size: 12pt;
   line-height: 21pt;
   text-align: center;
 …
   font-weight: bold;
+}
-.hidden {
-  display: none;
+}
 .left {
   text-align: left;
 …
+}
 .title {
   color: #990000;
   font-size: 18pt;
+  color: green;
+  font-size: 150%;
   line-height: 18pt;
   font-weight: bold;
 …
   margin-top: 36pt;
+}
-.vcardline {
-  display: block;
+}
 .warning {
   font-size: 14pt;
+  font-size: 130%;
   background-color: yellow;
+}
 …
     display: none;
+  }
   a {
     color: black;
 …
     background-color: white;
     vertical-align: top;
     font-size: 12pt;
+  }
   ul.toc a::after {
+    font-size: 110%;
+  }
+  ul.toc a:nth-child(2)::after {
     content: leader('.') target-counter(attr(href), page);
+  }
   a.iref {
+  ul.ind li li a {
     content: target-counter(attr(href), page);
+  }
   .print2col {
     column-count: 2;
 …
 @page {
   @top-left {
        content: "Internet-Draft";
+  }
+       content: "Internet-Draft";
+  }
   @top-right {
        content: "March 2009";
+  }
+       content: "March 2009";
+  }
   @top-center {
        content: "Security Requirements for HTTP";
+  }
+       content: "Security Requirements for HTTP";
+  }
   @bottom-left {
        content: "Hodges & Leiba";
+  }
+       content: "Hodges & Leiba";
+  }
   @bottom-center {
        content: "Informational";
+  }
+       content: "Expires September 2009";
+  }
   @bottom-right {
        content: "[Page " counter(page) "]";
+  }
+}
 @page:first {
+       content: "[Page " counter(page) "]";
+  }
+}
+@page:first {
     @top-left {
       content: normal;
 …
       <link rel="Appendix" title="A Acknowledgements" href="#rfc.section.A">
       <link rel="Appendix" title="B Document History" href="#rfc.section.B">
       <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.510, 2010-02-20 17:14:25, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
+      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.640, 2014/06/13 12:42:58, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
       <link rel="schema.dct" href="http://purl.org/dc/terms/">
       <meta name="dct.creator" content="Hodges, J.">
 …
       </table>
       <p class="title">Security Requirements for HTTP<br><span class="filename">draft-ietf-httpbis-security-properties-04</span></p>
+      <h1><a id="rfc.status" href="#rfc.status">Status of this Memo</a></h1>
+      <p>This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may contain
+         material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s)
+         controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of
+         such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the
+         copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of
+         it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it
+         into languages other than English.
+      </p>
+      <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note
+         that other groups may also distribute working documents as Internet-Drafts.
+      </p>
+      <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other
+         documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work
+         in progress”.
+      </p>
+      <p>The list of current Internet-Drafts can be accessed at <a href="http://www.ietf.org/ietf/1id-abstracts.txt">http://www.ietf.org/ietf/1id-abstracts.txt</a>.
+      </p>
+      <p>The list of Internet-Draft Shadow Directories can be accessed at <a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>.
+      </p>
+      <p>This Internet-Draft will expire in September 2009.</p>
+      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
+      <p>Copyright © 2009 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
+      <p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date
+         of publication of this document (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
+      </p>
+      <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
+      <div id="rfc.status">
+         <h1><a href="#rfc.status">Status of this Memo</a></h1>
+         <p>This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may contain
+            material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s)
+            controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of
+            such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the
+            copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of
+            it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it
+            into languages other than English.
+         </p>
+         <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note
+            that other groups may also distribute working documents as Internet-Drafts.
+         </p>
+         <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other
+            documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work
+            in progress”.
+         </p>
+         <p>The list of current Internet-Drafts can be accessed at <a href="http://www.ietf.org/ietf/1id-abstracts.txt">http://www.ietf.org/ietf/1id-abstracts.txt</a>.
+         </p>
+         <p>The list of Internet-Draft Shadow Directories can be accessed at <a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>.
+         </p>
+         <p>This Internet-Draft will expire in September 2009.</p>
+      </div>
+      <div id="rfc.copyrightnotice">
+         <h1><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
+         <p>Copyright © 2009 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
+         <p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date
+            of publication of this document (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
+         </p>
+      </div>
+      <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
       <p>Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement (MTI) security mechanisms, so that all
          conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies,
          and analyzes the trade-offs of each.
-      </p>
-      <hr class="noprint">
-      <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;Introduction
-      </h1>
-      <p id="rfc.section.1.p.1">Recent IESG practice dictates that IETF protocols be required to specify mandatory-to-implement (MTI) security mechanisms.
-         "The IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementers to provide strong security. RFC 3365 does not define
-         the term "strong security".
       </p>
+      <p id="rfc.section.1.p.2">"Security Mechanisms for the Internet" <a href="#RFC3631"><cite title="Security Mechanisms for the Internet">[RFC3631]</cite></a> is not an IETF procedural RFC, but it is perhaps most relevant. Section 2.2 states:
+      </p>
+      <div id="rfc.figure.u.1"></div> <pre>
+      <hr class="noprint">
+      <div>
+         <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;Introduction
+         </h1>
+         <p id="rfc.section.1.p.1">Recent IESG practice dictates that IETF protocols be required to specify mandatory-to-implement (MTI) security mechanisms.
+            "The IETF Standards Process" <a href="#RFC2026"><cite title="The Internet Standards Process -- Revision 3">[RFC2026]</cite></a> does not require that protocols specify mandatory security mechanisms. "Strong Security Requirements for IETF Standard Protocols" <a href="#RFC3365"><cite title="Strong Security Requirements for Internet Engineering Task Force Standard Protocols">[RFC3365]</cite></a> requires that all IETF protocols provide a mechanism for implementers to provide strong security. RFC 3365 does not define
+            the term "strong security".
+         </p>
+         <p id="rfc.section.1.p.2">"Security Mechanisms for the Internet" <a href="#RFC3631"><cite title="Security Mechanisms for the Internet">[RFC3631]</cite></a> is not an IETF procedural RFC, but it is perhaps most relevant. Section 2.2 states:
+         </p>
+         <div id="rfc.figure.u.1"></div><pre>
   We have evolved in the IETF the notion of "mandatory to implement"
   mechanisms.  This philosophy evolves from our primary desire to
 …
   selection of non-overlapping mechanisms being deployed in the
   different implementations.
+                </pre> <p id="rfc.section.1.p.4">This document examines the effects of applying security constraints to Web applications, documents the properties that result
+         from each method, and will make Best Current Practice recommendations for HTTP security in a later document version. At the
+         moment, it is mostly a laundry list of security technologies and tradeoffs.
+      </p>
+      <p id="rfc.section.1.p.5">[[ OVERALL ISSUE: It isn't entirely clear to the present editors what the purpose of this document is. On one hand it could
+         be a compendium of peer-entity authentication mechanisms (as it is presently) and make MTI recommendations thereof, or it
+         could be a place for various security considerations (either coalesced here from the other httpbis specs, or reserved for
+         the more gnarly cross-spec composite ones), or both. This needs to be clarified. ]]
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.2" class="np"><a href="#rfc.section.2">2.</a>&nbsp;Existing HTTP Security Mechanisms
+      </h1>
+      <p id="rfc.section.2.p.1">For HTTP, the IETF generally defines "security mechanisms" as some combination of access authentication and/or a secure transport.</p>
+      <p id="rfc.section.2.p.2">[[ There is a suggestion that this section be split into "browser-like" and "automation-like" subsections. See: </p>
+      <ul class="empty">
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0180.html</li>
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0183.html</li>
+      </ul>
+      <p> ]]</p>
+      <p id="rfc.section.2.p.3">[[ NTLM (shudder) was brought up in the WG a few times in the discussion of the -00 draft. Should we add a section on it?
+         See..
+      </p>
+      <ul class="empty">
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0132.html</li>
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0135.html</li>
+      </ul>
+      <p> ]]</p>
+      <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;Forms And Cookies
+      </h2>
+      <p id="rfc.section.2.1.p.1">[[ JH: I am not convinced that this subsection properly belongs in this overall section in that "HTTP+HTML Form based authentication"
+         &lt;http://en.wikipedia.org/wiki/HTTP%2BHTML_Form_based_authentication&gt; is not properly a part of HTTP itself. Rather, it is
+         a piece of applications layered on top of HTTP. Use of cookies for state management (e.g. session maintanence) can be considered
+         such, however (although there is no overall specification for HTTP user agents stipulating that they must implement cookies
+         (nominally <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>)). Perhaps this section should be should be retitled "HTTP Authentication".
+      </p>
+      <p id="rfc.section.2.1.p.2">Note: The httpstate WG was recently chartered to develop a successor to <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. See..
+      </p>
+      <ul class="empty">
+         <li>http://www.ietf.org/dyn/wg/charter/httpstate-charter.html</li>
+      </ul>
+      <p id="rfc.section.2.1.p.3">]]</p>
+      <p id="rfc.section.2.1.p.4">Almost all HTTP authentication that involves a human using a web browser is accomplished through HTML forms, with session
+         identifiers stored in cookies. For cookies, most implementations rely on the "Netscape specification", which is described
+         loosely in section 10 of "HTTP State Management Mechanism" <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. The protocol in RFC 2109 is relatively widely implemented, but most clients don't advertise support for it. RFC 2109 was
+         later updated <a href="#RFC2965"><cite title="HTTP State Management Mechanism">[RFC2965]</cite></a>, but the newer version is not widely implemented.
+      </p>
+      <p id="rfc.section.2.1.p.5">Forms and cookies have many properties that make them an excellent solution for some implementers. However, many of those
+         properties introduce serious security trade-offs.
+      </p>
+      <p id="rfc.section.2.1.p.6">HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases
+         user reliance on the appearance of the interface. Many users do not understand the construction of URIs <a href="#RFC3986"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, or their presentation in common clients <a href="#PhishingHOWTO"><cite title="Phishing Tips and Techniques">[PhishingHOWTO]</cite></a>. As a result, forms are extremely vulnerable to spoofing.
+      </p>
+      <p id="rfc.section.2.1.p.7">HTML forms provide acceptable internationalization if used carefully, at the cost of being transmitted as normal HTTP content
+         in all cases (credentials are not differentiated in the protocol).
+      </p>
+      <p id="rfc.section.2.1.p.8">Many Web browsers have an auto-complete feature that stores a user's information and pre-populates fields in forms. This is
+         considered to be a convenience mechanism, and convenience mechanisms often have negative security properties. The security
+         concerns with auto-completion are particularly poignant for web browsers that reside on computers with multiple users. HTML
+         forms provide a facility for sites to indicate that a field, such as a password, should never be pre-populated. However, it
+         is clear that some form creators do not use this facility when they should.
+      </p>
+      <p id="rfc.section.2.1.p.9">The cookies that result from a successful form submission make it unnecessary to validate credentials with each HTTP request;
+         this makes cookies an excellent property for scalability. Cookies are susceptible to a large variety of XSS (cross-site scripting)
+         attacks, and measures to prevent such attacks will never be as stringent as necessary for authentication credentials because
+         cookies are used for many purposes. Cookies are also susceptible to a wide variety of attacks from malicious intermediaries
+         and observers. The possible attacks depend on the contents of the cookie data. There is no standard format for most of the
+         data.
+      </p>
+      <p id="rfc.section.2.1.p.10">HTML forms and cookies provide flexible ways of ending a session from the client.</p>
+      <p id="rfc.section.2.1.p.11">HTML forms require an HTML rendering engine for which many protocols have no use.</p>
+      <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;HTTP Access Authentication
+      </h2>
+      <p id="rfc.section.2.2.p.1">HTTP 1.1 provides a simple authentication framework, "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, which defines two optional mechanisms. Both of these mechanisms are extremely rarely used in comparison to forms and cookies,
+         but some degree of support for one or both is available in many implementations. Neither scheme provides presentation control,
+         logout capabilities, or interoperable internationalization.
+      </p>
+      <h3 id="rfc.section.2.2.1"><a href="#rfc.section.2.2.1">2.2.1</a>&nbsp;Basic Authentication
+      </h3>
+      <p id="rfc.section.2.2.1.p.1">Basic Authentication (normally called just "Basic") transmits usernames and passwords in the clear. It is very easy to implement,
+         but not at all secure unless used over a secure transport.
+      </p>
+      <p id="rfc.section.2.2.1.p.2">Basic has very poor scalability properties because credentials must be revalidated with every request, and because secure
+         transports negate many of HTTP's caching mechanisms. Some implementations use cookies in combination with Basic credentials,
+         but there is no standard method of doing so.
+      </p>
+      <p id="rfc.section.2.2.1.p.3">Since Basic credentials are clear text, they are reusable by any party. This makes them compatible with any authentication
+         database, at the cost of making the user vulnerable to mismanaged or malicious servers, even over a secure channel.
+      </p>
+      <p id="rfc.section.2.2.1.p.4">Basic is not interoperable when used with credentials that contain characters outside of the ISO 8859-1 repertoire.</p>
+      <h3 id="rfc.section.2.2.2"><a href="#rfc.section.2.2.2">2.2.2</a>&nbsp;Digest Authentication
+      </h3>
+      <p id="rfc.section.2.2.2.p.1">In Digest Authentication, the client transmits the results of hashing user credentials with properties of the request and
+         values from the server challenge. Digest is susceptible to man-in-the-middle attacks when not used over a secure transport.
+      </p>
+      <p id="rfc.section.2.2.2.p.2">Digest has some properties that are preferable to Basic and Cookies. Credentials are not immediately reusable by parties that
+         observe or receive them, and session data can be transmitted alongside credentials with each request, allowing servers to
+         validate credentials only when absolutely necessary. Authentication data session keys are distinct from other protocol traffic.
+      </p>
+      <p id="rfc.section.2.2.2.p.3">Digest includes many modes of operation, but only the simplest modes enjoy any degree of interoperability. For example, most
+         implementations do not implement the mode that provides full message integrity. Perhaps one reason is that implementation
+         experience has shown that in some cases, especially those involving large requests or responses such as streams, the message
+         integrity mode is impractical because it requires servers to analyze the full request before determining whether the client
+         knows the shared secret or whether message-body integrity has been violated and hence whether the request can be processed.
+      </p>
+      <p id="rfc.section.2.2.2.p.4">Digest is extremely susceptible to offline dictionary attacks, making it practical for attackers to perform a namespace walk
+         consisting of a few million passwords for most users.
+      </p>
+      <p id="rfc.section.2.2.2.p.5">Many of the most widely-deployed HTTP/1.1 clients are not compliant when GET requests include a query string <a href="#Apache_Digest"><cite title="Apache HTTP Server - mod_auth_digest">[Apache_Digest]</cite></a>.
+      </p>
+      <p id="rfc.section.2.2.2.p.6">Digest either requires that authentication databases be expressly designed to accommodate it, or requires access to cleartext
+         passwords. As a result, many authentication databases that chose to do the former are incompatible, including the most common
+         method of storing passwords for use with Forms and Cookies.
+      </p>
+      <p id="rfc.section.2.2.2.p.7">Many Digest capabilities included to prevent replay attacks expose the server to Denial of Service attacks.</p>
+      <p id="rfc.section.2.2.2.p.8">Digest is not interoperable when used with credentials that contain characters outside of the ISO 8859-1 repertoire.</p>
+      <h3 id="rfc.section.2.2.3"><a href="#rfc.section.2.2.3">2.2.3</a>&nbsp;Authentication Using Certificates in TLS
+      </h3>
+      <p id="rfc.section.2.2.3.p.1">Running HTTP over TLS provides authentication of the HTTP server to the client. HTTP over TLS can also provides authentication
+         of the client to the server using certificates. Although forms are a much more common way to authenticate users to HTTP servers,
+         TLS client certificates are widely used in some environments. The public key infrastructure (PKI) used to validate certificates
+         in TLS can be rooted in public trust anchors or can be based on local trust anchors.
+      </p>
+      <h3 id="rfc.section.2.2.4"><a href="#rfc.section.2.2.4">2.2.4</a>&nbsp;Other Access Authentication Schemes
+      </h3>
+      <p id="rfc.section.2.2.4.p.1">There are many niche schemes that make use of the HTTP Authentication framework, but very few are well documented. Some are
+         bound to transport layer connections.
+      </p>
+      <h4 id="rfc.section.2.2.4.1"><a href="#rfc.section.2.2.4.1">2.2.4.1</a>&nbsp;Negotiate (GSS-API) Authentication
+      </h4>
+      <p id="rfc.section.2.2.4.1.p.1">Microsoft has designed an HTTP authentication mechanism that utilizes SPNEGO <a href="#RFC4178"><cite title="The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism">[RFC4178]</cite></a> GSSAPI <a href="#RFC4559"><cite title="SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows">[RFC4559]</cite></a>. In Microsoft's implementation, SPNEGO allows selection between Kerberos and NTLM (Microsoft NT Lan Manager protocols).
+      </p>
+      <p id="rfc.section.2.2.4.1.p.2">In Kerberos, clients and servers rely on a trusted third-party authentication service which maintains its own authentication
+         database. Kerberos is typically used with shared secret key cryptography, but extensions for use of other authentication mechnanisms
+         such as PKIX certificates and two-factor tokens are also common. Kerberos was designed to work under the assumption that packets
+         traveling along the network can be read, modified, and inserted at will.
+      </p>
+      <p id="rfc.section.2.2.4.1.p.3">Unlike Digest, Negotiate authentication can take multiple round trips (client sending authentication data in Authorization,
+         server sending authentication data in WWW-Authenticate) to complete.
+      </p>
+      <p id="rfc.section.2.2.4.1.p.4">Kerberos authentication is generally more secure than Digest. However the requirement for having a separate network authentication
+         service might be a barrier to deployment.
+      </p>
+      <h4 id="rfc.section.2.2.4.2"><a href="#rfc.section.2.2.4.2">2.2.4.2</a>&nbsp;OAuth
+      </h4>
+      <p id="rfc.section.2.2.4.2.p.1">[[ See.. </p>
+      <ul class="empty">
+         <li>http://www.ietf.org/id/draft-hammer-http-token-auth-01.txt</li>
+         <li>http://www.ietf.org/id/draft-hammer-oauth-10.txt</li>
+      </ul>
+      <p> ]]</p>
+      <h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;Centrally-Issued Tickets
+      </h2>
+      <p id="rfc.section.2.3.p.1">Many large Internet services rely on authentication schemes that center on clients consulting a single service for a time-limited
+         ticket that is validated with undocumented heuristics. Centralized ticket issuing has the advantage that users may employ
+         one set of credentials for many services, and clients don't send credentials to many servers. This approach is often no more
+         than a sophisticated application of forms and cookies.
+      </p>
+      <p id="rfc.section.2.3.p.2">All of the schemes in wide use are proprietary and non-standard, and usually are undocumented. There are many standardization
+         efforts in progress, as usual.
+      </p>
+      <h2 id="rfc.section.2.4"><a href="#rfc.section.2.4">2.4</a>&nbsp;Web Services
+      </h2>
+      <p id="rfc.section.2.4.p.1">Many security properties mentioned in this document have been recast in XML-based protocols, using HTTP as a substitute for
+         TCP. Like the amalgam of HTTP technologies mentioned above, the XML-based protocols are defined by an ever-changing combination
+         of standard and vendor-produced specifications, some of which may be obsoleted at any time <a href="#WS-Pagecount"><cite title="WS-Pagecount">[WS-Pagecount]</cite></a> without any documented change control procedures. These protocols usually don't have much in common with the Architecture
+         of the World Wide Web. It's not clear why the term "Web" is used to group them, but they are obviously out of scope for HTTP-based
+         application protocols.
+      </p>
+      <p id="rfc.section.2.4.p.2">[[ This section could really use a good definition of "Web Services" to differentiate it from REST. See.. </p>
+      <ul class="empty">
+         <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0536.html</li>
+      </ul>
+      <p> ]]</p>
+      <h2 id="rfc.section.2.5"><a href="#rfc.section.2.5">2.5</a>&nbsp;Transport Layer Security
+      </h2>
+      <p id="rfc.section.2.5.p.1">In addition to using TLS for client and/or server authentication, it is also very commonly used to protect the confidentiality
+         and integrity of the HTTP session. For instance, both HTTP Basic authentication and Cookies are often protected against snooping
+         by TLS.
+      </p>
+      <p id="rfc.section.2.5.p.2">It should be noted that, in that case, TLS does not protect against a breach of the credential store at the server or against
+         a keylogger or phishing interface at the client. TLS does not change the fact that Basic Authentication passwords are reusable
+         and does not address that weakness.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.3" class="np"><a href="#rfc.section.3">3.</a>&nbsp;Revisions To HTTP
+      </h1>
+      <p id="rfc.section.3.p.1">Is is possible that HTTP will be revised in the future. "HTTP/1.1" <a href="#RFC2616"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a> and "Use and Interpretation of HTTP Version Numbers" <a href="#RFC2145"><cite title="Use and Interpretation of HTTP Version Numbers">[RFC2145]</cite></a> define conformance requirements in relation to version numbers. In HTTP 1.1, all authentication mechanisms are optional, and
+         no single transport substrate is specified. Any HTTP revision that adds a mandatory security mechanism or transport substrate
+         will have to increment the HTTP version number appropriately. All widely used schemes are non-standard and/or proprietary.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.4" class="np"><a href="#rfc.section.4">4.</a>&nbsp;IANA Considerations
+      </h1>
+      <p id="rfc.section.4.p.1">This document has no actions for IANA.</p>
+      <hr class="noprint">
+      <h1 id="rfc.section.5" class="np"><a href="#rfc.section.5">5.</a>&nbsp;Security Considerations
+      </h1>
+      <p id="rfc.section.5.p.1">This entire document is about security considerations.</p>
+                </pre><p id="rfc.section.1.p.4">This document examines the effects of applying security constraints to Web applications, documents the properties that result
+            from each method, and will make Best Current Practice recommendations for HTTP security in a later document version. At the
+            moment, it is mostly a laundry list of security technologies and tradeoffs.
+         </p>
+         <p id="rfc.section.1.p.5">[[ OVERALL ISSUE: It isn't entirely clear to the present editors what the purpose of this document is. On one hand it could
+            be a compendium of peer-entity authentication mechanisms (as it is presently) and make MTI recommendations thereof, or it
+            could be a place for various security considerations (either coalesced here from the other httpbis specs, or reserved for
+            the more gnarly cross-spec composite ones), or both. This needs to be clarified. ]]
+         </p>
+      </div>
+      <hr class="noprint">
+      <div>
+         <h1 id="rfc.section.2" class="np"><a href="#rfc.section.2">2.</a>&nbsp;Existing HTTP Security Mechanisms
+         </h1>
+         <p id="rfc.section.2.p.1">For HTTP, the IETF generally defines "security mechanisms" as some combination of access authentication and/or a secure transport.</p>
+         <p id="rfc.section.2.p.2">[[ There is a suggestion that this section be split into "browser-like" and "automation-like" subsections. See: </p>
+         <ul class="empty">
+            <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0180.html</li>
+            <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0183.html</li>
+         </ul>
+         <p> ]]</p>
+         <p id="rfc.section.2.p.3">[[ NTLM (shudder) was brought up in the WG a few times in the discussion of the -00 draft. Should we add a section on it?
+            See..
+         </p>
+         <ul class="empty">
+            <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0132.html</li>
+            <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0135.html</li>
+         </ul>
+         <p> ]]</p>
+         <div>
+            <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;Forms And Cookies
+            </h2>
+            <p id="rfc.section.2.1.p.1">[[ JH: I am not convinced that this subsection properly belongs in this overall section in that "HTTP+HTML Form based authentication"
+               &lt;http://en.wikipedia.org/wiki/HTTP%2BHTML_Form_based_authentication&gt; is not properly a part of HTTP itself. Rather, it is
+               a piece of applications layered on top of HTTP. Use of cookies for state management (e.g. session maintanence) can be considered
+               such, however (although there is no overall specification for HTTP user agents stipulating that they must implement cookies
+               (nominally <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>)). Perhaps this section should be should be retitled "HTTP Authentication".
+            </p>
+            <p id="rfc.section.2.1.p.2">Note: The httpstate WG was recently chartered to develop a successor to <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. See..
+            </p>
+            <ul class="empty">
+               <li>http://www.ietf.org/dyn/wg/charter/httpstate-charter.html</li>
+            </ul>
+            <p id="rfc.section.2.1.p.3">]]</p>
+            <p id="rfc.section.2.1.p.4">Almost all HTTP authentication that involves a human using a web browser is accomplished through HTML forms, with session
+               identifiers stored in cookies. For cookies, most implementations rely on the "Netscape specification", which is described
+               loosely in section 10 of "HTTP State Management Mechanism" <a href="#RFC2109"><cite title="HTTP State Management Mechanism">[RFC2109]</cite></a>. The protocol in RFC 2109 is relatively widely implemented, but most clients don't advertise support for it. RFC 2109 was
+               later updated <a href="#RFC2965"><cite title="HTTP State Management Mechanism">[RFC2965]</cite></a>, but the newer version is not widely implemented.
+            </p>
+            <p id="rfc.section.2.1.p.5">Forms and cookies have many properties that make them an excellent solution for some implementers. However, many of those
+               properties introduce serious security trade-offs.
+            </p>
+            <p id="rfc.section.2.1.p.6">HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases
+               user reliance on the appearance of the interface. Many users do not understand the construction of URIs <a href="#RFC3986"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, or their presentation in common clients <a href="#PhishingHOWTO"><cite title="Phishing Tips and Techniques">[PhishingHOWTO]</cite></a>. As a result, forms are extremely vulnerable to spoofing.
+            </p>
+            <p id="rfc.section.2.1.p.7">HTML forms provide acceptable internationalization if used carefully, at the cost of being transmitted as normal HTTP content
+               in all cases (credentials are not differentiated in the protocol).
+            </p>
+            <p id="rfc.section.2.1.p.8">Many Web browsers have an auto-complete feature that stores a user's information and pre-populates fields in forms. This is
+               considered to be a convenience mechanism, and convenience mechanisms often have negative security properties. The security
+               concerns with auto-completion are particularly poignant for web browsers that reside on computers with multiple users. HTML
+               forms provide a facility for sites to indicate that a field, such as a password, should never be pre-populated. However, it
+               is clear that some form creators do not use this facility when they should.
+            </p>
+            <p id="rfc.section.2.1.p.9">The cookies that result from a successful form submission make it unnecessary to validate credentials with each HTTP request;
+               this makes cookies an excellent property for scalability. Cookies are susceptible to a large variety of XSS (cross-site scripting)
+               attacks, and measures to prevent such attacks will never be as stringent as necessary for authentication credentials because
+               cookies are used for many purposes. Cookies are also susceptible to a wide variety of attacks from malicious intermediaries
+               and observers. The possible attacks depend on the contents of the cookie data. There is no standard format for most of the
+               data.
+            </p>
+            <p id="rfc.section.2.1.p.10">HTML forms and cookies provide flexible ways of ending a session from the client.</p>
+            <p id="rfc.section.2.1.p.11">HTML forms require an HTML rendering engine for which many protocols have no use.</p>
+         </div>
+         <div>
+            <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;HTTP Access Authentication
+            </h2>
+            <p id="rfc.section.2.2.p.1">HTTP 1.1 provides a simple authentication framework, "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, which defines two optional mechanisms. Both of these mechanisms are extremely rarely used in comparison to forms and cookies,
+               but some degree of support for one or both is available in many implementations. Neither scheme provides presentation control,
+               logout capabilities, or interoperable internationalization.
+            </p>
+            <div>
+               <h3 id="rfc.section.2.2.1"><a href="#rfc.section.2.2.1">2.2.1</a>&nbsp;Basic Authentication
+               </h3>
+               <p id="rfc.section.2.2.1.p.1">Basic Authentication (normally called just "Basic") transmits usernames and passwords in the clear. It is very easy to implement,
+                  but not at all secure unless used over a secure transport.
+               </p>
+               <p id="rfc.section.2.2.1.p.2">Basic has very poor scalability properties because credentials must be revalidated with every request, and because secure
+                  transports negate many of HTTP's caching mechanisms. Some implementations use cookies in combination with Basic credentials,
+                  but there is no standard method of doing so.
+               </p>
+               <p id="rfc.section.2.2.1.p.3">Since Basic credentials are clear text, they are reusable by any party. This makes them compatible with any authentication
+                  database, at the cost of making the user vulnerable to mismanaged or malicious servers, even over a secure channel.
+               </p>
+               <p id="rfc.section.2.2.1.p.4">Basic is not interoperable when used with credentials that contain characters outside of the ISO 8859-1 repertoire.</p>
+            </div>
+            <div>
+               <h3 id="rfc.section.2.2.2"><a href="#rfc.section.2.2.2">2.2.2</a>&nbsp;Digest Authentication
+               </h3>
+               <p id="rfc.section.2.2.2.p.1">In Digest Authentication, the client transmits the results of hashing user credentials with properties of the request and
+                  values from the server challenge. Digest is susceptible to man-in-the-middle attacks when not used over a secure transport.
+               </p>
+               <p id="rfc.section.2.2.2.p.2">Digest has some properties that are preferable to Basic and Cookies. Credentials are not immediately reusable by parties that
+                  observe or receive them, and session data can be transmitted alongside credentials with each request, allowing servers to
+                  validate credentials only when absolutely necessary. Authentication data session keys are distinct from other protocol traffic.
+               </p>
+               <p id="rfc.section.2.2.2.p.3">Digest includes many modes of operation, but only the simplest modes enjoy any degree of interoperability. For example, most
+                  implementations do not implement the mode that provides full message integrity. Perhaps one reason is that implementation
+                  experience has shown that in some cases, especially those involving large requests or responses such as streams, the message
+                  integrity mode is impractical because it requires servers to analyze the full request before determining whether the client
+                  knows the shared secret or whether message-body integrity has been violated and hence whether the request can be processed.
+               </p>
+               <p id="rfc.section.2.2.2.p.4">Digest is extremely susceptible to offline dictionary attacks, making it practical for attackers to perform a namespace walk
+                  consisting of a few million passwords for most users.
+               </p>
+               <p id="rfc.section.2.2.2.p.5">Many of the most widely-deployed HTTP/1.1 clients are not compliant when GET requests include a query string <a href="#Apache_Digest"><cite title="Apache HTTP Server - mod_auth_digest">[Apache_Digest]</cite></a>.
+               </p>
+               <p id="rfc.section.2.2.2.p.6">Digest either requires that authentication databases be expressly designed to accommodate it, or requires access to cleartext
+                  passwords. As a result, many authentication databases that chose to do the former are incompatible, including the most common
+                  method of storing passwords for use with Forms and Cookies.
+               </p>
+               <p id="rfc.section.2.2.2.p.7">Many Digest capabilities included to prevent replay attacks expose the server to Denial of Service attacks.</p>
+               <p id="rfc.section.2.2.2.p.8">Digest is not interoperable when used with credentials that contain characters outside of the ISO 8859-1 repertoire.</p>
+            </div>
+            <div>
+               <h3 id="rfc.section.2.2.3"><a href="#rfc.section.2.2.3">2.2.3</a>&nbsp;Authentication Using Certificates in TLS
+               </h3>
+               <p id="rfc.section.2.2.3.p.1">Running HTTP over TLS provides authentication of the HTTP server to the client. HTTP over TLS can also provides authentication
+                  of the client to the server using certificates. Although forms are a much more common way to authenticate users to HTTP servers,
+                  TLS client certificates are widely used in some environments. The public key infrastructure (PKI) used to validate certificates
+                  in TLS can be rooted in public trust anchors or can be based on local trust anchors.
+               </p>
+            </div>
+            <div>
+               <h3 id="rfc.section.2.2.4"><a href="#rfc.section.2.2.4">2.2.4</a>&nbsp;Other Access Authentication Schemes
+               </h3>
+               <p id="rfc.section.2.2.4.p.1">There are many niche schemes that make use of the HTTP Authentication framework, but very few are well documented. Some are
+                  bound to transport layer connections.
+               </p>
+               <div>
+                  <h4 id="rfc.section.2.2.4.1"><a href="#rfc.section.2.2.4.1">2.2.4.1</a>&nbsp;Negotiate (GSS-API) Authentication
+                  </h4>
+                  <p id="rfc.section.2.2.4.1.p.1">Microsoft has designed an HTTP authentication mechanism that utilizes SPNEGO <a href="#RFC4178"><cite title="The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism">[RFC4178]</cite></a> GSSAPI <a href="#RFC4559"><cite title="SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows">[RFC4559]</cite></a>. In Microsoft's implementation, SPNEGO allows selection between Kerberos and NTLM (Microsoft NT Lan Manager protocols).
+                  </p>
+                  <p id="rfc.section.2.2.4.1.p.2">In Kerberos, clients and servers rely on a trusted third-party authentication service which maintains its own authentication
+                     database. Kerberos is typically used with shared secret key cryptography, but extensions for use of other authentication mechnanisms
+                     such as PKIX certificates and two-factor tokens are also common. Kerberos was designed to work under the assumption that packets
+                     traveling along the network can be read, modified, and inserted at will.
+                  </p>
+                  <p id="rfc.section.2.2.4.1.p.3">Unlike Digest, Negotiate authentication can take multiple round trips (client sending authentication data in Authorization,
+                     server sending authentication data in WWW-Authenticate) to complete.
+                  </p>
+                  <p id="rfc.section.2.2.4.1.p.4">Kerberos authentication is generally more secure than Digest. However the requirement for having a separate network authentication
+                     service might be a barrier to deployment.
+                  </p>
+               </div>
+               <div>
+                  <h4 id="rfc.section.2.2.4.2"><a href="#rfc.section.2.2.4.2">2.2.4.2</a>&nbsp;OAuth
+                  </h4>
+                  <p id="rfc.section.2.2.4.2.p.1">[[ See.. </p>
+                  <ul class="empty">
+                     <li>http://www.ietf.org/id/draft-hammer-http-token-auth-01.txt</li>
+                     <li>http://www.ietf.org/id/draft-hammer-oauth-10.txt</li>
+                  </ul>
+                  <p> ]]</p>
+               </div>
+            </div>
+         </div>
+         <div>
+            <h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;Centrally-Issued Tickets
+            </h2>
+            <p id="rfc.section.2.3.p.1">Many large Internet services rely on authentication schemes that center on clients consulting a single service for a time-limited
+               ticket that is validated with undocumented heuristics. Centralized ticket issuing has the advantage that users may employ
+               one set of credentials for many services, and clients don't send credentials to many servers. This approach is often no more
+               than a sophisticated application of forms and cookies.
+            </p>
+            <p id="rfc.section.2.3.p.2">All of the schemes in wide use are proprietary and non-standard, and usually are undocumented. There are many standardization
+               efforts in progress, as usual.
+            </p>
+         </div>
+         <div>
+            <h2 id="rfc.section.2.4"><a href="#rfc.section.2.4">2.4</a>&nbsp;Web Services
+            </h2>
+            <p id="rfc.section.2.4.p.1">Many security properties mentioned in this document have been recast in XML-based protocols, using HTTP as a substitute for
+               TCP. Like the amalgam of HTTP technologies mentioned above, the XML-based protocols are defined by an ever-changing combination
+               of standard and vendor-produced specifications, some of which may be obsoleted at any time <a href="#WS-Pagecount"><cite title="WS-Pagecount">[WS-Pagecount]</cite></a> without any documented change control procedures. These protocols usually don't have much in common with the Architecture
+               of the World Wide Web. It's not clear why the term "Web" is used to group them, but they are obviously out of scope for HTTP-based
+               application protocols.
+            </p>
+            <p id="rfc.section.2.4.p.2">[[ This section could really use a good definition of "Web Services" to differentiate it from REST. See.. </p>
+            <ul class="empty">
+               <li>http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0536.html</li>
+            </ul>
+            <p> ]]</p>
+         </div>
+         <div>
+            <h2 id="rfc.section.2.5"><a href="#rfc.section.2.5">2.5</a>&nbsp;Transport Layer Security
+            </h2>
+            <p id="rfc.section.2.5.p.1">In addition to using TLS for client and/or server authentication, it is also very commonly used to protect the confidentiality
+               and integrity of the HTTP session. For instance, both HTTP Basic authentication and Cookies are often protected against snooping
+               by TLS.
+            </p>
+            <p id="rfc.section.2.5.p.2">It should be noted that, in that case, TLS does not protect against a breach of the credential store at the server or against
+               a keylogger or phishing interface at the client. TLS does not change the fact that Basic Authentication passwords are reusable
+               and does not address that weakness.
+            </p>
+         </div>
+      </div>
+      <hr class="noprint">
+      <div>
+         <h1 id="rfc.section.3" class="np"><a href="#rfc.section.3">3.</a>&nbsp;Revisions To HTTP
+         </h1>
+         <p id="rfc.section.3.p.1">Is is possible that HTTP will be revised in the future. "HTTP/1.1" <a href="#RFC2616"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a> and "Use and Interpretation of HTTP Version Numbers" <a href="#RFC2145"><cite title="Use and Interpretation of HTTP Version Numbers">[RFC2145]</cite></a> define conformance requirements in relation to version numbers. In HTTP 1.1, all authentication mechanisms are optional, and
+            no single transport substrate is specified. Any HTTP revision that adds a mandatory security mechanism or transport substrate
+            will have to increment the HTTP version number appropriately. All widely used schemes are non-standard and/or proprietary.
+         </p>
+      </div>
+      <hr class="noprint">
+      <div>
+         <h1 id="rfc.section.4" class="np"><a href="#rfc.section.4">4.</a>&nbsp;IANA Considerations
+         </h1>
+         <p id="rfc.section.4.p.1">This document has no actions for IANA.</p>
+      </div>
+      <hr class="noprint">
+      <div>
+         <h1 id="rfc.section.5" class="np"><a href="#rfc.section.5">5.</a>&nbsp;Security Considerations
+         </h1>
+         <p id="rfc.section.5.p.1">This entire document is about security considerations.</p>
+      </div>
       <hr class="noprint">
       <h1 id="rfc.references" class="np"><a id="rfc.section.6" href="#rfc.section.6">6.</a> References
 …
       <h2 class="np" id="rfc.references.1"><a href="#rfc.section.6.1" id="rfc.section.6.1">6.1</a> Normative References
       </h2>
       <table>
+      <table>
          <tr>
             <td class="reference"><b id="RFC2026">[RFC2026]</b></td>
             <td class="top"><a href="mailto:sob@harvard.edu" title="Harvard University">Bradner, S.</a>, “<a href="http://tools.ietf.org/html/rfc2026">The Internet Standards Process -- Revision 3</a>”, BCP&nbsp;9, RFC&nbsp;2026, October&nbsp;1996.
             </td>
          </tr>
+            <td class="top"><a href="mailto:sob@harvard.edu" title="Harvard University">Bradner, S.</a>, “<a href="https://tools.ietf.org/html/rfc2026">The Internet Standards Process -- Revision 3</a>”, BCP&nbsp;9, RFC&nbsp;2026, October&nbsp;1996.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC2145">[RFC2145]</b></td>
             <td class="top"><a href="mailto:mogul@wrl.dec.com" title="Western Research Laboratory">Mogul, J.C.</a>, <a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.T.</a>, <a href="mailto:jg@w3.org" title="MIT Laboratory for Computer Science">Gettys, J.</a>, and <a href="mailto:frystyk@w3.org" title="W3 Consortium">H.F. Nielsen</a>, “<a href="http://tools.ietf.org/html/rfc2145">Use and Interpretation of HTTP Version Numbers</a>”, RFC&nbsp;2145, May&nbsp;1997.
             </td>
          </tr>
+            <td class="top"><a href="mailto:mogul@wrl.dec.com" title="Western Research Laboratory">Mogul, J.</a>, <a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="MIT Laboratory for Computer Science">Gettys, J.</a>, and <a href="mailto:frystyk@w3.org" title="W3 Consortium">H. Nielsen</a>, “<a href="https://tools.ietf.org/html/rfc2145">Use and Interpretation of HTTP Version Numbers</a>”, RFC&nbsp;2145, May&nbsp;1997.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC2616">[RFC2616]</b></td>
             <td class="top"><a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="World Wide Web Consortium">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="World Wide Web Consortium">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">T. Berners-Lee</a>, “<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC&nbsp;2616, June&nbsp;1999.
             </td>
          </tr>
+            <td class="top"><a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="World Wide Web Consortium">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="World Wide Web Consortium">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">T. Berners-Lee</a>, “<a href="https://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC&nbsp;2616, June&nbsp;1999.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC2617">[RFC2617]</b></td>
             <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.M.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.L.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.D.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.J.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
             </td>
          </tr>
+            <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="https://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC2965">[RFC2965]</b></td>
             <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D. M.</a> and <a href="mailto:lou@montulli.org" title="Epinions.com, Inc.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2965">HTTP State Management Mechanism</a>”, RFC&nbsp;2965, October&nbsp;2000.
             </td>
          </tr>
+            <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D.</a> and <a href="mailto:lou@montulli.org" title="Epinions.com, Inc.">L. Montulli</a>, “<a href="https://tools.ietf.org/html/rfc2965">HTTP State Management Mechanism</a>”, RFC&nbsp;2965, October&nbsp;2000.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC3365">[RFC3365]</b></td>
             <td class="top">Schiller, J., “<a href="http://tools.ietf.org/html/rfc3365">Strong Security Requirements for Internet Engineering Task Force Standard Protocols</a>”, BCP&nbsp;61, RFC&nbsp;3365, August&nbsp;2002.
             </td>
          </tr>
+            <td class="top">Schiller, J., “<a href="https://tools.ietf.org/html/rfc3365">Strong Security Requirements for Internet Engineering Task Force Standard Protocols</a>”, BCP&nbsp;61, RFC&nbsp;3365, August&nbsp;2002.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC3631">[RFC3631]</b></td>
             <td class="top">Bellovin, S., Schiller, J., and C. Kaufman, “<a href="http://tools.ietf.org/html/rfc3631">Security Mechanisms for the Internet</a>”, RFC&nbsp;3631, December&nbsp;2003.
             </td>
          </tr>
+            <td class="top">Bellovin, S., Schiller, J., and C. Kaufman, “<a href="https://tools.ietf.org/html/rfc3631">Security Mechanisms for the Internet</a>”, RFC&nbsp;3631, December&nbsp;2003.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC3986">[RFC3986]</b></td>
             <td class="top"><a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R.</a>, and <a href="mailto:LMM@acm.org" title="Adobe Systems Incorporated">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005.
             </td>
          </tr>
+            <td class="top"><a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R.</a>, and <a href="mailto:LMM@acm.org" title="Adobe Systems Incorporated">L. Masinter</a>, “<a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC4178">[RFC4178]</b></td>
             <td class="top">Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, “<a href="http://tools.ietf.org/html/rfc4178">The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism</a>”, RFC&nbsp;4178, October&nbsp;2005.
             </td>
          </tr>
+            <td class="top">Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, “<a href="https://tools.ietf.org/html/rfc4178">The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism</a>”, RFC&nbsp;4178, October&nbsp;2005.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="RFC4559">[RFC4559]</b></td>
             <td class="top">Jaganathan, K., Zhu, L., and J. Brezak, “<a href="http://tools.ietf.org/html/rfc4559">SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows</a>”, RFC&nbsp;4559, June&nbsp;2006.
             </td>
          </tr>
+            <td class="top">Jaganathan, K., Zhu, L., and J. Brezak, “<a href="https://tools.ietf.org/html/rfc4559">SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows</a>”, RFC&nbsp;4559, June&nbsp;2006.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="Apache_Digest">[Apache_Digest]</b></td>
             <td class="top">Apache Software Foundation, , “<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">Apache HTTP Server - mod_auth_digest</a>”, &lt;<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html</a>&gt;.
             </td>
          </tr>
+            <td class="top">Apache Software Foundation, ., “<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">Apache HTTP Server - mod_auth_digest</a>”, &lt;<a href="http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html">http://httpd.apache.org/docs/1.3/mod/mod_auth_digest.html</a>&gt;.
+            </td>
+         </tr>
          <tr>
             <td class="reference"><b id="PhishingHOWTO">[PhishingHOWTO]</b></td>
             <td class="top">Gutmann, P., “<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">Phishing Tips and Techniques</a>”, February&nbsp;2008, &lt;<a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf">http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf</a>&gt;.
             </td>
          </tr>
+         </tr>
          <tr>
             <td class="reference"><b id="WS-Pagecount">[WS-Pagecount]</b></td>
             <td class="top">Bray, T., “<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">WS-Pagecount</a>”, September&nbsp;2004, &lt;<a href="http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research">http://www.tbray.org/ongoing/When/200x/2004/09/21/WS-Research</a>&gt;.
             </td>
          </tr>
+         </tr>
       </table>
       <h2 id="rfc.references.2"><a href="#rfc.section.6.2" id="rfc.section.6.2">6.2</a> Informative References
       </h2>
       <table>
+      <table>
          <tr>
             <td class="reference"><b id="RFC2109">[RFC2109]</b></td>
             <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D.M.</a> and <a href="mailto:montulli@netscape.com" title="Netscape Communications Corp.">L. Montulli</a>, “<a href="http://tools.ietf.org/html/rfc2109">HTTP State Management Mechanism</a>”, RFC&nbsp;2109, February&nbsp;1997.
             </td>
          </tr>
+            <td class="top"><a href="mailto:dmk@bell-labs.com" title="Bell Laboratories, Lucent Technologies">Kristol, D.</a> and <a href="mailto:montulli@netscape.com" title="Netscape Communications Corp.">L. Montulli</a>, “<a href="https://tools.ietf.org/html/rfc2109">HTTP State Management Mechanism</a>”, RFC&nbsp;2109, February&nbsp;1997.
+            </td>
+         </tr>
       </table>
       <hr class="noprint">
+      <div class="avoidbreak">
+         <h1 id="rfc.authors" class="np"><a href="#rfc.authors">Authors' Addresses</a></h1>
+         <address class="vcard"><span class="vcardline"><span class="fn">Jeff Hodges</span><span class="n hidden"><span class="family-name">Hodges</span><span class="given-name">Jeff</span></span></span><span class="org vcardline">PayPal</span><span class="vcardline">EMail: <a href="mailto:Jeff.Hodges@PayPal.com"><span class="email">Jeff.Hodges@PayPal.com</span></a></span></address>
+         <address class="vcard"><span class="vcardline"><span class="fn">Barry Leiba</span><span class="n hidden"><span class="family-name">Leiba</span><span class="given-name">Barry</span></span></span><span class="org vcardline">Huawei Technologies</span><span class="vcardline tel">Phone: <a href="tel:+16468270648"><span class="value">+1 646 827 0648</span></a></span><span class="vcardline">EMail: <a href="mailto:barryleiba@computer.org"><span class="email">barryleiba@computer.org</span></a></span><span class="vcardline">URI: <a href="http://internetmessagingtechnology.org/" class="url">http://internetmessagingtechnology.org/</a></span></address>
+      </div>
+      <hr class="noprint">
+      <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;Acknowledgements
+      </h1>
+      <p id="rfc.section.A.p.1">Much of the material in this document was written by Rob Sayre, who first promoted the topic. Many others on the HTTPbis Working
+         Group have contributed to this document in the discussion.
+      </p>
+      <hr class="noprint">
+      <h1 id="rfc.section.B" class="np"><a href="#rfc.section.B">B.</a>&nbsp;Document History
+      </h1>
+      <p id="rfc.section.B.p.1">[This entire section is to be removed when published as an RFC.]</p>
+      <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and                 draft-ietf-httpbis-security-properties-00
+      </h2>
+      <p id="rfc.section.B.1.p.1">Changed the authors to Paul Hoffman and Alexey Melnikov, with permission of Rob Sayre.</p>
+      <p id="rfc.section.B.1.p.2">Made lots of minor editorial changes.</p>
+      <p id="rfc.section.B.1.p.3">Removed what was section 2 (Requirements Notation), the reference to RFC 2119, and any use of 2119ish all-caps words.</p>
+      <p id="rfc.section.B.1.p.4">In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1 repertoire" to match the definition of "TEXT" in RFC 2616.</p>
+      <p id="rfc.section.B.1.p.5">Added minor text to the Security Considerations section.</p>
+      <p id="rfc.section.B.1.p.6">Added URLs to the two non-RFC references.</p>
+      <h2 id="rfc.section.B.2"><a href="#rfc.section.B.2">B.2</a>&nbsp;Changes between -00 and -01
+      </h2>
+      <p id="rfc.section.B.2.p.1">Fixed some editorial nits reported by Iain Calder.</p>
+      <p id="rfc.section.B.2.p.2">Added the suggestions about splitting for browsers and automation, and about adding NTLM, to be beginning of 2.</p>
+      <p id="rfc.section.B.2.p.3">In 2.1, added "that involves a human using a web browser" in the first sentence.</p>
+      <p id="rfc.section.B.2.p.4">In 2.1, changed "session key" to "session identifier".</p>
+      <p id="rfc.section.B.2.p.5">In 2.2.2, changed </p>
+      <div id="rfc.figure.u.2"></div><pre>
+      <div>
+         <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;Acknowledgements
+         </h1>
+         <p id="rfc.section.A.p.1">Much of the material in this document was written by Rob Sayre, who first promoted the topic. Many others on the HTTPbis Working
+            Group have contributed to this document in the discussion.
+         </p>
+      </div>
+      <hr class="noprint">
+      <div>
+         <h1 id="rfc.section.B" class="np"><a href="#rfc.section.B">B.</a>&nbsp;Document History
+         </h1>
+         <p id="rfc.section.B.p.1">[This entire section is to be removed when published as an RFC.]</p>
+         <div>
+            <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Changes between draft-sayre-http-security-variance-00 and                 draft-ietf-httpbis-security-properties-00
+            </h2>
+            <p id="rfc.section.B.1.p.1">Changed the authors to Paul Hoffman and Alexey Melnikov, with permission of Rob Sayre.</p>
+            <p id="rfc.section.B.1.p.2">Made lots of minor editorial changes.</p>
+            <p id="rfc.section.B.1.p.3">Removed what was section 2 (Requirements Notation), the reference to RFC 2119, and any use of 2119ish all-caps words.</p>
+            <p id="rfc.section.B.1.p.4">In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1 repertoire" to match the definition of "TEXT" in RFC 2616.</p>
+            <p id="rfc.section.B.1.p.5">Added minor text to the Security Considerations section.</p>
+            <p id="rfc.section.B.1.p.6">Added URLs to the two non-RFC references.</p>
+         </div>
+         <div>
+            <h2 id="rfc.section.B.2"><a href="#rfc.section.B.2">B.2</a>&nbsp;Changes between -00 and -01
+            </h2>
+            <p id="rfc.section.B.2.p.1">Fixed some editorial nits reported by Iain Calder.</p>
+            <p id="rfc.section.B.2.p.2">Added the suggestions about splitting for browsers and automation, and about adding NTLM, to be beginning of 2.</p>
+            <p id="rfc.section.B.2.p.3">In 2.1, added "that involves a human using a web browser" in the first sentence.</p>
+            <p id="rfc.section.B.2.p.4">In 2.1, changed "session key" to "session identifier".</p>
+            <p id="rfc.section.B.2.p.5">In 2.2.2, changed </p><span id="rfc.figure.u.2"></span><pre>
 Digest includes many modes of operation, but only the simplest modes
 enjoy any degree of interoperability.  For example, most
 …
 to analyze the full request before determining whether the client
 knows the shared secret.
+</pre><p> to </p>
+      <div id="rfc.figure.u.3"></div><pre>
+</pre><p> to </p><span id="rfc.figure.u.3"></span><pre>
 Digest includes many modes of operation, but only the simplest
 modes enjoy any degree of interoperability.  For example, most
 …
 the request can be processed.
 </pre><p id="rfc.section.B.2.p.6">In 2.4, asked for a definition of "Web Services".</p>
+      <p id="rfc.section.B.2.p.7">In A, added the WG.</p>
+      <h2 id="rfc.section.B.3"><a href="#rfc.section.B.3">B.3</a>&nbsp;Changes between -01 and -02
+      </h2>
+      <p id="rfc.section.B.3.p.1">In section 2.1, added more to the paragraph on auto-completion of HTML forms.</p>
+      <p id="rfc.section.B.3.p.2">Added the section on TLS for authentication.</p>
+      <p id="rfc.section.B.3.p.3">Filled in section 2.5.</p>
+      <h2 id="rfc.section.B.4"><a href="#rfc.section.B.4">B.4</a>&nbsp;Changes between -02 and -03
+      </h2>
+      <p id="rfc.section.B.4.p.1">Changed IPR licensing from "full3978" to "pre5378Trust200902".</p>
+      <h2 id="rfc.section.B.5"><a href="#rfc.section.B.5">B.5</a>&nbsp;Changes between -03 and -04
+      </h2>
+      <p id="rfc.section.B.5.p.1">Changed authors to be Jeff Hodges (JH) and Barry Leiba (BL) with permission of Paul Hoffman, Alexey Melnikov, and Mark Nottingham
+         (httpbis chair).
+      </p>
+      <p id="rfc.section.B.5.p.2">Added "OVERALL ISSUE" to introduction.</p>
+      <p id="rfc.section.B.5.p.3">Added links to email messages on mailing list(s) where various suggestions for this document were brought up. I.e. added various
+         links to those comments herein delimited by "[[...]]" braces.
+      </p>
+      <p id="rfc.section.B.5.p.4">Noted JH's belief that "HTTP+HTML Form based authentication" aka "Forms And Cookies" doesn't properly belong in the section
+         where it presently resides. Added link to httpstate WG.
+      </p>
+      <p id="rfc.section.B.5.p.5">Added references to OAuth. Section needs to be filled-in as yet.</p>
+      <p id="rfc.section.B.5.p.6">Moved ref to RFC2109 to new "Informative References" section, and added a placeholder "IANA Considerations" section in order
+         to satisfy IDnits checking.
+      </p>
+            <p id="rfc.section.B.2.p.7">In A, added the WG.</p>
+         </div>
+         <div>
+            <h2 id="rfc.section.B.3"><a href="#rfc.section.B.3">B.3</a>&nbsp;Changes between -01 and -02
+            </h2>
+            <p id="rfc.section.B.3.p.1">In section 2.1, added more to the paragraph on auto-completion of HTML forms.</p>
+            <p id="rfc.section.B.3.p.2">Added the section on TLS for authentication.</p>
+            <p id="rfc.section.B.3.p.3">Filled in section 2.5.</p>
+         </div>
+         <div>
+            <h2 id="rfc.section.B.4"><a href="#rfc.section.B.4">B.4</a>&nbsp;Changes between -02 and -03
+            </h2>
+            <p id="rfc.section.B.4.p.1">Changed IPR licensing from "full3978" to "pre5378Trust200902".</p>
+         </div>
+         <div>
+            <h2 id="rfc.section.B.5"><a href="#rfc.section.B.5">B.5</a>&nbsp;Changes between -03 and -04
+            </h2>
+            <p id="rfc.section.B.5.p.1">Changed authors to be Jeff Hodges (JH) and Barry Leiba (BL) with permission of Paul Hoffman, Alexey Melnikov, and Mark Nottingham
+               (httpbis chair).
+            </p>
+            <p id="rfc.section.B.5.p.2">Added "OVERALL ISSUE" to introduction.</p>
+            <p id="rfc.section.B.5.p.3">Added links to email messages on mailing list(s) where various suggestions for this document were brought up. I.e. added various
+               links to those comments herein delimited by "[[...]]" braces.
+            </p>
+            <p id="rfc.section.B.5.p.4">Noted JH's belief that "HTTP+HTML Form based authentication" aka "Forms And Cookies" doesn't properly belong in the section
+               where it presently resides. Added link to httpstate WG.
+            </p>
+            <p id="rfc.section.B.5.p.5">Added references to OAuth. Section needs to be filled-in as yet.</p>
+            <p id="rfc.section.B.5.p.6">Moved ref to RFC2109 to new "Informative References" section, and added a placeholder "IANA Considerations" section in order
+               to satisfy IDnits checking.
+            </p>
+         </div>
+      </div>
+      <hr class="noprint">
+      <div class="avoidbreak">
+         <h1 id="rfc.authors" class="np"><a href="#rfc.authors">Authors' Addresses</a></h1>
+         <p><b>Jeff Hodges</b><br>PayPal<br>EMail: <a href="mailto:Jeff.Hodges@PayPal.com">Jeff.Hodges@PayPal.com</a></p>
+         <p><b>Barry Leiba</b><br>Huawei Technologies<br>Phone: <a href="tel:+16468270648">+1 646 827 0648</a><br>EMail: <a href="mailto:barryleiba@computer.org">barryleiba@computer.org</a><br>URI: <a href="http://internetmessagingtechnology.org/">http://internetmessagingtechnology.org/</a></p>
+      </div>
    </body>
 </html>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2726 for draft-ietf-httpbis-security-properties/04

Legend:

draft-ietf-httpbis-security-properties/04/draft-ietf-httpbis-security-properties-04.html

Download in other formats: