Concealed HTTP Authentication Scheme

From MgmtWiki
Revision as of 21:28, 14 February 2025 by Tom (talk | contribs) (Full Title)

Jump to: navigation, search

Full Title

Request for Comments: 9729 The Concealed HTTP Authentication Scheme https://datatracker.ietf.org/doc/rfc9729/ 

Most HTTP authentication schemes are probeable in the sense that it
  is possible for an unauthenticated client to probe whether an origin
  serves resources that require authentication.  It is possible for an
  origin to hide the fact that it requires authentication by not
  generating Unauthorized status codes; however, that only works with
  non-cryptographic authentication schemes: cryptographic signatures
  require a fresh nonce to be signed.  Prior to this document, there
  was no existing way for the origin to share such a nonce without
  exposing the fact that it serves resources that require
  authentication.  This document defines a new non-probeable
  cryptographic authentication scheme.

Context

This document defines the "Concealed" HTTP authentication scheme. It uses asymmetric cryptography. Clients possess a key ID and a public/private key pair, and origin servers maintain a mapping of authorized key IDs to associated public keys. ¶ RFC 9729: The Concealed HTTP Authentication Scheme - RFC Editor www.rfc-editor.org/rfc/rfc9729.html


References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Concealed_HTTP_Authentication_Scheme&oldid=22888"