[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Document Action: 'Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2' to Informational RFC

To: IETF-Announce <ietf-announce at ietf.org>
Subject: Document Action: 'Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2' to Informational RFC
From: The IESG <iesg-secretary at ietf.org>
Date: Mon, 14 Mar 2005 18:22:10 -0500
Cc: Internet Architecture Board <iab at iab.org>, RFC Editor <rfc-editor at rfc-editor.org>
List-help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-id: ietf-announce.ietf.org
List-post: <mailto:ietf-announce@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
Sender: ietf-announce-bounces at ietf.org

The IESG has approved the following document:

- 'Hypertext Transfer Protocol (HTTP) Digest Authentication Using 
   Authentication and Key Agreement (AKA) Version-2 '
   <draft-torvinen-http-digest-aka-v2-02.txt> as an Informational RFC

This document has been reviewed in the IETF but is not the product of an
IETF Working Group. 

The IESG contact person is Allison Mankin.

RFC Editor Note

Abstract

OLD:

   
  HTTP Digest as specified in [4] is known to be vulnerable to
   man-in-the-middle attacks if the client fails to authenticate the
   server in TLS, or if the same passwords are used for authentication
   in some other context without TLS.  This is a general problem that
   exist not just with HTTP Digest but also with other IETF protocols
   that use tunneled authentication.  This document specifies version 2
   of the HTTP Digest AKA algorithm [6].  This algorithm can be
   implemented in a way that it is resistant to the man-in-the-middle
   attack.

NEW:

   HTTP Digest as specified in RFC 2617 is known to be vulnerable to
   man-in-the-middle attacks if the client fails to authenticate the
   server in TLS, or if the same passwords are used for authentication
   in some other context without TLS.  This is a general problem that
   exist not just with HTTP Digest but also with other IETF protocols
   that use tunneled authentication.  This document specifies version 2
   of the HTTP Digest AKA algorithm (RFC 3310).  This algorithm can be
   implemented in a way that it is resistant to the man-in-the-middle
   attack.


_______________________________________________
IETF-Announce mailing list
IETF-Announce at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

Prev by Date: Protocol Action: 'Fibre Channel Management MIB' to Proposed Standard
Next by Date: Protocol Action: 'The Stream Control Transmission Protocol (SCTP) as a Transport for the Session Initiation Protocol (SIP)' to Proposed Standard
Previous by thread: Protocol Action: 'Fibre Channel Management MIB' to Proposed Standard
Next by thread: Protocol Action: 'The Stream Control Transmission Protocol (SCTP) as a Transport for the Session Initiation Protocol (SIP)' to Proposed Standard
Index(es):
- Date
- Thread