One document matched: draft-ietf-httpauth-basicauth-update-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This XML document is the output of clean-for-DTD.xslt; a tool that strips
extensions to RFC2629(bis) from documents for processing with xml2rfc.
-->
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc subcompact="no"?>
<?rfc rfcedstyle="yes"?>
<!DOCTYPE rfc
PUBLIC "" "rfc2629.dtd">
<rfc ipr="pre5378Trust200902" docName="draft-ietf-httpauth-basicauth-update-00" category="std" updates="2617">
<front>
<title abbrev="'Basic' HTTP Authentication Scheme">The 'Basic' HTTP Authentication Scheme</title>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address>
<postal>
<street>Hafenweg 16</street>
<city>Muenster</city><region>NW</region><code>48155</code>
<country>Germany</country>
</postal>
<email>julian.reschke@greenbytes.de</email>
<uri>http://greenbytes.de/tech/webdav/</uri>
</address>
</author>
<date month="September" year="2013" day="13"/>
<area>Applications</area>
<workgroup>HTTPAuth Working Group</workgroup>
<abstract>
<t>
This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme.
</t>
</abstract>
<note title="Editorial Note (To be removed by RFC Editor before publication)">
<t>
Discussion of this draft takes place on the HTTPAuth working group
mailing list (http-auth@ietf.org), which is archived at
<eref target="http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html"/>.
</t>
<t>
XML versions, latest edits and the issues list for this document
are available from <eref target="http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update"/>.
</t>
<t>
The changes in this draft are summarized in <xref target="changes.since.rfc2617"/>.
</t>
</note>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<t>
This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme (<xref target="draft-ietf-httpbis-p7-auth"/>).
This scheme is not considered to be a secure method of user authentication
unless used in conjunction with some external secure system such as TLS
(Transport Layer Security, <xref target="RFC5246"/>), as the user name and
password are passed over the network as cleartext.
</t>
<t>
The "Basic" scheme previously was defined in Section 2 of <xref target="RFC2617"/>.
This document updates the definition, and also addresses internationalization issues.
</t>
<t>
Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication"
(<xref target="draft-ietf-httpbis-p7-auth"/>, defining the authentication framework) and
"HTTP Digest Update" (<xref target="draft-ietf-httpauth-digest-update"/>,
updating the definition of the '"Digest" authentication scheme).
</t>
</section>
<section title="Notational Conventions">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in <xref target="RFC2119"/>.
</t>
</section>
<section title="The 'Basic' Authentication Scheme" anchor="basic.authentication.scheme">
<t>
The "basic" authentication scheme is based on the model that the
client must authenticate itself with a user-ID and a password for
each realm. The realm value should be considered an opaque string
which can only be compared for equality with other realms on that
server. The server will service the request only if it can validate
the user-ID and password for the protection space of the Request-URI.
There are no optional authentication parameters.
</t>
<t>
For Basic, the framework above is utilized as follows:
</t>
<figure><iref item="challenge"/><iref item="credentials"/><artwork type="abnf2616"><![CDATA[
challenge = "Basic" realm
credentials = "Basic" basic-credentials
]]></artwork></figure>
<t>
Upon receipt of an unauthorized request for a URI within the
protection space, the origin server MAY respond with a challenge like
the following:
</t>
<figure><artwork type="example"><![CDATA[
WWW-Authenticate: Basic realm="WallyWorld"
]]></artwork></figure>
<t>
where "WallyWorld" is the string assigned by the server to identify
the protection space of the Request-URI. A proxy may respond with the
same challenge using the Proxy-Authenticate header field.
</t>
<t>
To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 <xref target="RFC2396"/>
encoded string in the credentials.
</t>
<figure><iref item="basic-credentials" primary="true"/><iref item="base64-user-pass" primary="true"/><iref item="user-pass" primary="true"/><iref item="userid" primary="true"/><iref item="password" primary="true"/><artwork type="abnf2616"><![CDATA[
basic-credentials = base64-user-pass
base64-user-pass = <base64 [RFC2045] encoding of user-pass,
except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
]]></artwork></figure>
<t>
Userids might be case sensitive.
</t>
<t>
If the user agent wishes to send the userid "Aladdin" and password
"open sesame", it would use the following header field:
</t>
<figure><artwork type="example"><![CDATA[
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
]]></artwork></figure>
<t>
A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of
the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
Similarly, when a client sends a request to a proxy, it may reuse a
userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server. See <xref target="security.considerations"/> for
security considerations associated with Basic authentication.
</t>
</section>
<section title="Security Considerations" anchor="security.considerations">
<t>
The Basic authentication scheme is not a secure method of user
authentication, nor does it in any way protect the entity, which is
transmitted in cleartext across the physical network used as the
carrier. HTTP does not prevent the addition of enhancements (such as
schemes to use one-time passwords) to Basic authentication.
</t>
<t>
The most serious flaw in Basic authentication is that it results in
the essentially cleartext transmission of the user's password over
the physical network. Many other authentication schemes address this
problem.
</t>
<t>
Because Basic authentication involves the cleartext transmission of
passwords it SHOULD NOT be used (without enhancements) to protect
sensitive or valuable information.
</t>
<t>
A common use of Basic authentication is for identification purposes
— requiring the user to provide a user name and password as a means
of identification, for example, for purposes of gathering accurate
usage statistics on a server. When used in this way it is tempting to
think that there is no danger in its use if illicit access to the
protected documents is not a major concern. This is only correct if
the server issues both user name and password to the users and in
particular does not allow the user to choose his or her own password.
The danger arises because naive users frequently reuse a single
password to avoid the task of maintaining multiple passwords.
</t>
<t>
If a server permits users to select their own passwords, then the
threat is not only unauthorized access to documents on the server but
also unauthorized access to any other resources on other systems that
the user protects with the same password. Furthermore, in the
server's password database, many of the passwords may also be users'
passwords for other sites. The owner or administrator of such a
system could therefore expose all users of the system to the risk of
unauthorized access to all those sites if this information is not
maintained in a secure fashion.
</t>
<t>
Basic Authentication is also vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that he is connecting to a
host containing information protected by Basic authentication when,
in fact, he is connecting to a hostile server or gateway, then the
attacker can request a password, store it for later use, and feign an
error. This type of attack is not possible with Digest
Authentication. Server implementers SHOULD guard against the
possibility of this sort of counterfeiting by gateways or CGI
scripts. In particular it is very dangerous for a server to simply
turn over a connection to a gateway. That gateway can then use the
persistent connection mechanism to engage in multiple transactions
with the client while impersonating the original server in a way that
is not detectable by the client.
</t>
</section>
<section title="IANA Considerations" anchor="iana.considerations">
<t>
IANA maintains the registry of HTTP Authentication Schemes (<xref target="draft-ietf-httpbis-p7-auth"/>)
at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
</t>
<t>
The entry for the "Basic" Authentication Scheme shall be updated with a pointer
to this specification.
</t>
</section>
<section title="Acknowledgements">
<t>
This specification takes over the definition of the "Basic" HTTP Authentication
Scheme, previously defined in RFC 2617. We thank John Franks,
Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence,
Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work on
that specification, from which significant amounts of text was borrowed.
See Section 6 of <xref target="RFC2617"/> for further acknowledgements.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="RFC2045">
<front>
<title abbrev="Internet Message Bodies">Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</title>
<author initials="N." surname="Freed" fullname="Ned Freed"/>
<author initials="N.S." surname="Borenstein" fullname="Nathaniel S. Borenstein"/>
<date year="1996" month="November"/>
</front>
<seriesInfo name="RFC" value="2045"/>
</reference>
<reference anchor="RFC2119">
<front>
<title abbrev="RFC Key Words">Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials="S." surname="Bradner" fullname="Scott Bradner"/>
<date month="March" year="1997"/>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
</reference>
<reference anchor="RFC2396">
<front>
<title abbrev="URI Generic Syntax">Uniform Resource Identifiers (URI): Generic Syntax</title>
<author initials="T." surname="Berners-Lee" fullname="Tim Berners-Lee"/>
<author initials="R.T." surname="Fielding" fullname="Roy T. Fielding"/>
<author initials="L." surname="Masinter" fullname="Larry Masinter"/>
<date month="August" year="1998"/>
</front>
<seriesInfo name="RFC" value="2396"/>
</reference>
<reference anchor="draft-ietf-httpbis-p7-auth">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Authentication</title>
<author fullname="Roy T. Fielding" initials="R." role="editor" surname="Fielding"/>
<author fullname="Julian F. Reschke" initials="J. F." role="editor" surname="Reschke"/>
<date month="July" year="2013"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-p7-auth-23"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="RFC2617">
<front>
<title abbrev="HTTP Authentication">HTTP Authentication: Basic and Digest Access Authentication</title>
<author initials="J." surname="Franks" fullname="John Franks"/>
<author initials="P.M." surname="Hallam-Baker" fullname="Phillip M. Hallam-Baker"/>
<author initials="J.L." surname="Hostetler" fullname="Jeffery L. Hostetler"/>
<author initials="S.D." surname="Lawrence" fullname="Scott D. Lawrence"/>
<author initials="P.J." surname="Leach" fullname="Paul J. Leach"/>
<author initials="A." surname="Luotonen" fullname="Ari Luotonen"/>
<author initials="L." surname="Stewart" fullname="Lawrence C. Stewart"/>
<date month="June" year="1999"/>
</front>
<seriesInfo name="RFC" value="2617"/>
</reference>
<reference anchor="RFC5246">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
<author initials="T." surname="Dierks" fullname="T. Dierks"/>
<author initials="E." surname="Rescorla" fullname="E. Rescorla"/>
<date year="2008" month="August"/>
</front>
<seriesInfo name="RFC" value="5246"/>
</reference>
<reference anchor="draft-ietf-httpauth-digest-update">
<front>
<title>HTTP Digest Update</title>
<author initials="R." surname="Shekh-Yusef" fullname="Rifaat Shekh-Yusef"/>
<author initials="D." surname="Ahrens" fullname="David Ahrens"/>
<date month="September" day="2" year="2013"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-httpauth-digest-update-05"/>
</reference>
</references>
<section title="Change Log (to be removed by RFC Editor before publication)" anchor="change.log">
<section title="Since RFC 2617" anchor="changes.since.rfc2617">
<t>
This draft acts as a baseline for tracking subsequent changes to the
specification. As such, it extracts the definition of "Basic", plus the related Security
Considerations, and also adds the IANA registration of the scheme.
Changes to the actual definition will be made in subsequent drafts.
</t>
</section>
</section>
<section title="Open issues (to be removed by RFC Editor prior to publication)"><section title="edit"><t>
Type: edit</t><t>julian.reschke@greenbytes.de (2013-09-11):
Umbrella issue for editorial fixes/enhancements.
</t></section><section title="upd"><t>
In Section 3:
</t><t>
Type: change</t><t>julian.reschke@greenbytes.de (2013-09-12):
Update the definition to reflect underlying changes (RFC2616->httpbis,
RFC2396->2616, other references).
</t></section><section title="enc"><t>
In Section 3:
</t><t>
Type: change</t><t>julian.reschke@greenbytes.de (2013-09-12):
Fix the encoding issue, by pulling in draft-ietf-httpauth-basicauth-enc.
</t></section></section></back>
</rfc>| PAFTECH AB 2003-2026 | 2026-04-23 14:19:21 |