httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject I-D ACTION:draft-ietf-http-authentication-00.txt (fwd)
Date Mon, 01 Dec 1997 17:48:46 GMT
I am amazed.  Actual work on authentication?  No..... it coudln't be.

My cynical mind suggests that browser vendors don't like real
authentication since they want to push client certificates for various
reasons, who cares about the fact that they aren't overly for a lot of

---------- Forwarded message ----------
Date: Mon, 01 Dec 1997 12:24:00 -0500
Subject: I-D ACTION:draft-ietf-http-authentication-00.txt
Resent-Date: Mon, 1 Dec 1997 17:26:15 GMT

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the HyperText Transfer Protocol Working Group 
of the IETF.

	Title		: HTTP Authentication: Basic and Digest Access 
	Author(s)	: J. Franks, A. Luotonen, P. Leach, J. Hostetler,
                          P. Hallam-Baker, E. Sink, L. Stewart
	Filename	: draft-ietf-http-authentication-00.txt
	Pages		: 27
	Date		: 26-Nov-97
       ''HTTP/1.0'' includes the specification for a Basic Access Authentication
       scheme. This scheme is not considered to be a secure method of user
       authentication (unless used in conjunction with  some external secure
       system such as SSL [5]), as the user name and password are passed over
       the network as clear text.
       This document also provides the specification for HTTP's authentication
       framework, the original Basic authentication scheme and a scheme based
       on cryptographic hashes, referred to as ''Digest Access Authentication''.
       It is therefore intended to also serve as a replacement for RFC 2069.[6]
       Like Basic, Digest access authentication verifies that both parties to a
       communication know a shared secret (a password); unlike Basic, this
       verification can be done without sending the password in the clear,
       which is Basic's biggest weakness. As with most other authentication
       protocols, the greatest sources of risks are usually found not in the
       core protocol itself but in policies and procedures surrounding its use.

Internet-Drafts are available by anonymous FTP.  Login with the username
"anonymous" and a password of your e-mail address.  After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-http-authentication-00.txt".
A URL for the Internet-Draft is:

Internet-Drafts directories are located at:

	Pacific Rim:
	US East Coast:
	US West Coast:

Internet-Drafts are also available by mail.

Send a message to:  In the body type:
	"FILE /internet-drafts/draft-ietf-http-authentication-00.txt".
NOTE:	The mail server at can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the

View raw message