File formats:

Also available: XML file for editing

 

Status:

PROPOSED STANDARD

Authors:

D. Schinazi
D. Oliver
J. Hoyland

Stream:

IETF

Source:

httpbis (wit)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC9729

Discuss this RFC: Send questions or comments to the mailing list ietf-http-wg@w3.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9729

Abstract

Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes; however, that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. Prior to this document, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document defines a new non-probeable cryptographic authentication scheme.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.