Concealed HTTP Authentication Scheme
Full Title
Request for Comments: 9729 The Concealed HTTP Authentication Scheme https://datatracker.ietf.org/doc/rfc9729/
Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes; however, that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. Prior to this document, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document defines a new non-probeable cryptographic authentication scheme.
Context
This document defines the "Concealed" HTTP authentication scheme. It uses asymmetric cryptography. Clients possess a key ID and a public/private key pair, and origin servers maintain a mapping of authorized key IDs to associated public keys. ¶ RFC 9729: The Concealed HTTP Authentication Scheme - RFC Editor www.rfc-editor.org/rfc/rfc9729.html
