The IESG has approved the following document: - 'HTTP Authentication Extensions for Interactive Clients' (draft-ietf-httpauth-extension-09.txt) as Experimental RFC This document is the product of the Hypertext Transfer Protocol Authentication Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-httpauth-extension/ Technical Summary This document specifies extensions for the HTTP authentication framework for interactive clients. Currently, fundamental features of HTTP-level authentication are insufficient for complex requirements of various Web-based applications. This forces these applications to implement their own authentication frameworks by means like HTML forms, which becomes one of the hurdles against introducing secure authentication mechanisms handled jointly by servers and user-agent. The extended framework fills gaps between Web application requirements and HTTP authentication provisions to solve the above problems, while maintaining compatibility with existing Web and non-Web uses of HTTP authentications. This document is one in a three-part set of documents describing the Mutual-Auth authentication method for HTTP. This part extends the HTTP authentication framework from RFC 7235 to include optional authentication as well as de-authorization (log out) and finer control of redirection depending on authentication status. Working Group Summary With version -07 it is the consensus of the HTTP-Auth working group that this document is fit to be published as an experimental RFC. The document received a moderate amount of review from the working group. In addition we solicited and received a review from Cory Benfield. Document Quality There are implementations of this protocol written by the authors. They take the form of a modified web server and a fork of the Firefox browser that include this functionality. Personnel Yoav Nir is the Document Shepherd and Kathleen Moriarty is the Responsible Area Director IANA Note This document establishes a registry with initial entries for HTTP authentication control parameters. New entries to this registry are by "Specification Required" described in [RFC5226]. The specification must be publicly accessible. This document also defines two new entries for the "Permanent Message Header Field Names" registry
