Prior Art RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication" defines BASIC authentication (cleartext) and DIGEST (vulnerable to man-in-the-middle attacks, no security layer) draft-brezak-spnego-http-XX.txt by John Brezak Works only with SPNEGO GSSAPI authentication mechanisms Doesn’t support channel protection (authentication only). Needs special indication from proxies that they don’t share authentication state ("Proxy-support: Session-Based-Authentication”) draft-burdis-http-sasl-XX by Keith Burdis (expired) used HTTP Upgrade. CONNECT is required to establish the end-to-end tunnel, as the Upgrade header is hop-by-hop. Comments and suggestions from Keith have been incorporated into our memo (and this presentation) |