rfc9729v2.md   rfc9729.md 
--- ---
title: The Concealed HTTP Authentication Scheme title: The Concealed HTTP Authentication Scheme
docname: draft-ietf-httpbis-unprompted-auth-latest docname: draft-ietf-httpbis-unprompted-auth-latest
submissiontype: IETF submissiontype: IETF
number: 9729 number: 9729
date: 2025-01 date: 2025-02
consensus: true consensus: true
v: 3 v: 3
category: std category: std
wg: HTTPBIS wg: HTTPBIS
area: "Web and Internet Transport" area: "Web and Internet Transport"
keyword: keyword:
- secure - secure
- tunnels - tunnels
- masque - masque
- http-ng - http-ng
skipping to change at line 221 skipping to change at line 221
Port: Port:
: The port for this request, encoded in network byte order. Note that the port : The port for this request, encoded in network byte order. Note that the port
is either included in the URI or is the default port for the scheme in use; is either included in the URI or is the default port for the scheme in use;
see {{Section 3.2.3 of URI}}. see {{Section 3.2.3 of URI}}.
Realm: Realm:
: The realm of authentication that is sent in the realm authentication : The realm of authentication that is sent in the realm authentication
parameter ({{Section 11.5 of HTTP}}). If the realm authentication parameter is parameter (see {{Section 11.5 of HTTP}}). If the realm authentication parameter is
not present, this SHALL be empty. This document does not define a means for the not present, this SHALL be empty. This document does not define a means for the
origin to communicate a realm to the client. If a client is not configured to origin to communicate a realm to the client. If a client is not configured to
use a specific realm, it SHALL use an empty realm and SHALL NOT send the realm use a specific realm, it SHALL use an empty realm and SHALL NOT send the realm
authentication parameter. authentication parameter.
The Signature Algorithm and Port fields are encoded as unsigned 16-bit integers The Signature Algorithm and Port fields are encoded as unsigned 16-bit integers
in network byte order. The Key ID, Public Key, Scheme, Host, and Realm fields in network byte order. The Key ID, Public Key, Scheme, Host, and Realm fields
are length-prefixed strings; they are preceded by a Length field that are length-prefixed strings; they are preceded by a Length field that
represents their length in bytes. These length fields are encoded using the represents their length in bytes. These length fields are encoded using the
variable-length integer encoding from {{Section 16 of QUIC}} and MUST be variable-length integer encoding from {{Section 16 of QUIC}} and MUST be
skipping to change at line 344 skipping to change at line 344
~~~ abnf ~~~ abnf
concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" ) concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" )
concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0" concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0"
~~~ ~~~
{: #fig-param title="Authentication Parameter Value ABNF"} {: #fig-param title="Authentication Parameter Value ABNF"}
## The k Parameter {#parameter-k} ## The k Parameter {#parameter-k}
The REQUIRED "k" (key ID) Parameter is a byte sequence that identifies which The REQUIRED "k" (key ID) Parameter is a byte sequence that identifies which
key the client wishes to use to authenticate. This is used by the backend to key the client wishes to use to authenticate. This is used by the backend to
point to an entry in a server-side database of known keys; see {{backend}}. point to an entry in a server-side database of known keys (see {{backend}}).
## The a Parameter {#parameter-a} ## The a Parameter {#parameter-a}
The REQUIRED "a" (public key) Parameter is a byte sequence that specifies the The REQUIRED "a" (public key) Parameter is a byte sequence that specifies the
public key used by the server to validate the signature provided by the client. public key used by the server to validate the signature provided by the client.
This avoids key confusion issues (see {{SEEMS-LEGIT}}). The encoding of the This avoids key confusion issues (see {{SEEMS-LEGIT}}). The encoding of the
public key is described in {{public-key-encoding}}. public key is described in {{public-key-encoding}}.
## The p Parameter {#parameter-p} ## The p Parameter {#parameter-p}
The REQUIRED "p" (proof) Parameter is a byte sequence that specifies the proof The REQUIRED "p" (proof) Parameter is a byte sequence that specifies the proof
that the client provides to attest to possessing the credential that matches that the client provides to attest to possessing the credential that matches
its key ID. its key ID.
## The s Parameter {#parameter-s} ## The s Parameter {#parameter-s}
The REQUIRED "s" (signature) Parameter is an integer that specifies the The REQUIRED "s" (signature scheme) Parameter is an integer that specifies the
signature scheme used to compute the proof transmitted in the `p` Parameter. signature scheme used to compute the proof transmitted in the `p` Parameter.
Its value is an integer between 0 and 65535 inclusive from the IANA "TLS Its value is an integer between 0 and 65535 inclusive from the IANA "TLS
SignatureScheme" registry maintained at SignatureScheme" registry maintained at
<[](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-sig naturescheme)>. <[](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-sig naturescheme)>.
## The v Parameter {#parameter-v} ## The v Parameter {#parameter-v}
The REQUIRED "v" (verification) Parameter is a byte sequence that specifies the The REQUIRED "v" (verification) Parameter is a byte sequence that specifies the
verification that the client provides to attest to possessing the key exporter verification that the client provides to attest to possessing the key exporter
output (see {{output}} for details). This avoids issues with signature schemes output (see {{output}} for details). This avoids issues with signature schemes
 End of changes. 4 change blocks. 
4 lines changed or deleted 4 lines changed or added

This html diff was produced by rfcdiff 1.48.