idnits 2.17.1 draft-ietf-httpauth-basicauth-update-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC2617, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2617, updated by this document, for RFC5378 checks: 1997-12-01) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 13, 2013) is 3877 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2396 (Obsoleted by RFC 3986) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPAuth Working Group J. Reschke 3 Internet-Draft greenbytes 4 Updates: 2617 (if approved) September 13, 2013 5 Intended status: Standards Track 6 Expires: March 17, 2014 8 The 'Basic' HTTP Authentication Scheme 9 draft-ietf-httpauth-basicauth-update-00 11 Abstract 13 This document defines the "Basic" Hypertext Transfer Protocol (HTTP) 14 Authentication Scheme. 16 Editorial Note (To be removed by RFC Editor before publication) 18 Discussion of this draft takes place on the HTTPAuth working group 19 mailing list (http-auth@ietf.org), which is archived at . 22 XML versions, latest edits and the issues list for this document are 23 available from . 26 The changes in this draft are summarized in Appendix A.1. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on March 17, 2014. 45 Copyright Notice 47 Copyright (c) 2013 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 This document may contain material from IETF Documents or IETF 61 Contributions published or made publicly available before November 62 10, 2008. The person(s) controlling the copyright in some of this 63 material may not have granted the IETF Trust the right to allow 64 modifications of such material outside the IETF Standards Process. 65 Without obtaining an adequate license from the person(s) controlling 66 the copyright in such materials, this document may not be modified 67 outside the IETF Standards Process, and derivative works of it may 68 not be created outside the IETF Standards Process, except to format 69 it for publication as an RFC or to translate it into languages other 70 than English. 72 Table of Contents 74 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 75 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 76 3. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . . 3 77 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 78 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 79 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 80 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 81 7.1. Normative References . . . . . . . . . . . . . . . . . . . 6 82 7.2. Informative References . . . . . . . . . . . . . . . . . . 6 83 Appendix A. Change Log (to be removed by RFC Editor before 84 publication) . . . . . . . . . . . . . . . . . . . . . 7 85 A.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 7 86 Appendix B. Open issues (to be removed by RFC Editor prior to 87 publication) . . . . . . . . . . . . . . . . . . . . . 7 88 B.1. edit . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 89 B.2. upd . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 90 B.3. enc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 91 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 93 1. Introduction 95 This document defines the "Basic" Hypertext Transfer Protocol (HTTP) 96 Authentication Scheme ([draft-ietf-httpbis-p7-auth]). This scheme is 97 not considered to be a secure method of user authentication unless 98 used in conjunction with some external secure system such as TLS 99 (Transport Layer Security, [RFC5246]), as the user name and password 100 are passed over the network as cleartext. 102 The "Basic" scheme previously was defined in Section 2 of [RFC2617]. 103 This document updates the definition, and also addresses 104 internationalization issues. 106 Other documents updating RFC 2617 are "Hypertext Transfer Protocol 107 (HTTP/1.1): Authentication" ([draft-ietf-httpbis-p7-auth], defining 108 the authentication framework) and "HTTP Digest Update" 109 ([draft-ietf-httpauth-digest-update], updating the definition of the 110 '"Digest" authentication scheme). 112 2. Notational Conventions 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 116 document are to be interpreted as described in [RFC2119]. 118 3. The 'Basic' Authentication Scheme 120 The "basic" authentication scheme is based on the model that the 121 client must authenticate itself with a user-ID and a password for 122 each realm. The realm value should be considered an opaque string 123 which can only be compared for equality with other realms on that 124 server. The server will service the request only if it can validate 125 the user-ID and password for the protection space of the Request-URI. 126 There are no optional authentication parameters. 128 For Basic, the framework above is utilized as follows: 130 challenge = "Basic" realm 131 credentials = "Basic" basic-credentials 133 Upon receipt of an unauthorized request for a URI within the 134 protection space, the origin server MAY respond with a challenge like 135 the following: 137 WWW-Authenticate: Basic realm="WallyWorld" 139 where "WallyWorld" is the string assigned by the server to identify 140 the protection space of the Request-URI. A proxy may respond with 141 the same challenge using the Proxy-Authenticate header field. 143 To receive authorization, the client sends the userid and password, 144 separated by a single colon (":") character, within a base64 145 [RFC2396] encoded string in the credentials. 147 basic-credentials = base64-user-pass 148 base64-user-pass = 150 user-pass = userid ":" password 151 userid = * 152 password = *TEXT 154 Userids might be case sensitive. 156 If the user agent wishes to send the userid "Aladdin" and password 157 "open sesame", it would use the following header field: 159 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 161 A client SHOULD assume that all paths at or deeper than the depth of 162 the last symbolic element in the path field of the Request-URI also 163 are within the protection space specified by the Basic realm value of 164 the current challenge. A client MAY preemptively send the 165 corresponding Authorization header with requests for resources in 166 that space without receipt of another challenge from the server. 167 Similarly, when a client sends a request to a proxy, it may reuse a 168 userid and password in the Proxy-Authorization header field without 169 receiving another challenge from the proxy server. See Section 4 for 170 security considerations associated with Basic authentication. 172 4. Security Considerations 174 The Basic authentication scheme is not a secure method of user 175 authentication, nor does it in any way protect the entity, which is 176 transmitted in cleartext across the physical network used as the 177 carrier. HTTP does not prevent the addition of enhancements (such as 178 schemes to use one-time passwords) to Basic authentication. 180 The most serious flaw in Basic authentication is that it results in 181 the essentially cleartext transmission of the user's password over 182 the physical network. Many other authentication schemes address this 183 problem. 185 Because Basic authentication involves the cleartext transmission of 186 passwords it SHOULD NOT be used (without enhancements) to protect 187 sensitive or valuable information. 189 A common use of Basic authentication is for identification purposes 190 -- requiring the user to provide a user name and password as a means 191 of identification, for example, for purposes of gathering accurate 192 usage statistics on a server. When used in this way it is tempting 193 to think that there is no danger in its use if illicit access to the 194 protected documents is not a major concern. This is only correct if 195 the server issues both user name and password to the users and in 196 particular does not allow the user to choose his or her own password. 197 The danger arises because naive users frequently reuse a single 198 password to avoid the task of maintaining multiple passwords. 200 If a server permits users to select their own passwords, then the 201 threat is not only unauthorized access to documents on the server but 202 also unauthorized access to any other resources on other systems that 203 the user protects with the same password. Furthermore, in the 204 server's password database, many of the passwords may also be users' 205 passwords for other sites. The owner or administrator of such a 206 system could therefore expose all users of the system to the risk of 207 unauthorized access to all those sites if this information is not 208 maintained in a secure fashion. 210 Basic Authentication is also vulnerable to spoofing by counterfeit 211 servers. If a user can be led to believe that he is connecting to a 212 host containing information protected by Basic authentication when, 213 in fact, he is connecting to a hostile server or gateway, then the 214 attacker can request a password, store it for later use, and feign an 215 error. This type of attack is not possible with Digest 216 Authentication. Server implementers SHOULD guard against the 217 possibility of this sort of counterfeiting by gateways or CGI 218 scripts. In particular it is very dangerous for a server to simply 219 turn over a connection to a gateway. That gateway can then use the 220 persistent connection mechanism to engage in multiple transactions 221 with the client while impersonating the original server in a way that 222 is not detectable by the client. 224 5. IANA Considerations 226 IANA maintains the registry of HTTP Authentication Schemes 227 ([draft-ietf-httpbis-p7-auth]) at 228 . 230 The entry for the "Basic" Authentication Scheme shall be updated with 231 a pointer to this specification. 233 6. Acknowledgements 235 This specification takes over the definition of the "Basic" HTTP 236 Authentication Scheme, previously defined in RFC 2617. We thank John 237 Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. 238 Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for 239 their work on that specification, from which significant amounts of 240 text was borrowed. See Section 6 of [RFC2617] for further 241 acknowledgements. 243 7. References 245 7.1. Normative References 247 [RFC2045] Freed, N. and N. Borenstein, 248 "Multipurpose Internet Mail 249 Extensions (MIME) Part One: 250 Format of Internet Message 251 Bodies", RFC 2045, 252 November 1996. 254 [RFC2119] Bradner, S., "Key words for use 255 in RFCs to Indicate Requirement 256 Levels", BCP 14, RFC 2119, 257 March 1997. 259 [RFC2396] Berners-Lee, T., Fielding, R., 260 and L. Masinter, "Uniform 261 Resource Identifiers (URI): 262 Generic Syntax", RFC 2396, 263 August 1998. 265 [draft-ietf-httpbis-p7-auth] Fielding, R., Ed. and J. 266 Reschke, Ed., "Hypertext 267 Transfer Protocol (HTTP/1.1): 268 Authentication", 269 draft-ietf-httpbis-p7-auth-23 270 (work in progress), July 2013. 272 7.2. Informative References 274 [RFC2617] Franks, J., Hallam-Baker, P., 275 Hostetler, J., Lawrence, S., 276 Leach, P., Luotonen, A., and L. 277 Stewart, "HTTP Authentication: 278 Basic and Digest Access 279 Authentication", RFC 2617, 280 June 1999. 282 [RFC5246] Dierks, T. and E. Rescorla, "The 283 Transport Layer Security (TLS) 284 Protocol Version 1.2", RFC 5246, 285 August 2008. 287 [draft-ietf-httpauth-digest-update] Shekh-Yusef, R. and D. Ahrens, 288 "HTTP Digest Update", draft- 289 ietf-httpauth-digest-update-05 290 (work in progress), 291 September 2013. 293 Appendix A. Change Log (to be removed by RFC Editor before publication) 295 A.1. Since RFC 2617 297 This draft acts as a baseline for tracking subsequent changes to the 298 specification. As such, it extracts the definition of "Basic", plus 299 the related Security Considerations, and also adds the IANA 300 registration of the scheme. Changes to the actual definition will be 301 made in subsequent drafts. 303 Appendix B. Open issues (to be removed by RFC Editor prior to 304 publication) 306 B.1. edit 308 Type: edit 310 julian.reschke@greenbytes.de (2013-09-11): Umbrella issue for 311 editorial fixes/enhancements. 313 B.2. upd 315 In Section 3: 317 Type: change 319 julian.reschke@greenbytes.de (2013-09-12): Update the definition to 320 reflect underlying changes (RFC2616->httpbis, RFC2396->2616, other 321 references). 323 B.3. enc 325 In Section 3: 327 Type: change 329 julian.reschke@greenbytes.de (2013-09-12): Fix the encoding issue, by 330 pulling in draft-ietf-httpauth-basicauth-enc. 332 Index 334 B 335 base64-user-pass 4 336 basic-credentials 4 338 C 339 challenge 3 340 credentials 3 342 P 343 password 4 345 U 346 user-pass 4 347 userid 4 349 Author's Address 351 Julian F. Reschke 352 greenbytes GmbH 353 Hafenweg 16 354 Muenster, NW 48155 355 Germany 357 EMail: julian.reschke@greenbytes.de 358 URI: http://greenbytes.de/tech/webdav/