RFC 2084 (rfc2084) - Page 3 of 6

Considerations for Web Transaction Security

Alternative Format: Original Text Document
< Previous
Next >
RFC 2084      Considerations for Web Transaction Security   January 1997


4. Service Authentication

   WTS should support the authentication of gatewayed services to the
   client.

   WTS should support the authentication of the origin HTTP server or
   gatewayed services regardless of intermediary proxy or caching
   servers.

   To allow user privacy, WTS must support service authentication with
   user anonymity.

   Because the identity of the object being requested is potentially
   sensitive, service authentication should occur before any part of the
   request, including the URI of the requested object, is passed.  In
   cases where the authentication process depends on the URI (or other
   header data) of the request, such as gatewayed services, the minimum
   necessary information to identify the entity to be authenticated
   should be passed.

5. User Authentication

   WTS must support the authentication of the client to the server.

   WTS should support the authentication of the client to gatewayed
   services.

   WTS should support the authentication of the client to the origin
   HTTP server regardless of intermediary proxy servers.

6. Integrity

   WTS must provide assurance of the integrity of the HTTP transaction,
   including the HTTP headers and data objects of both client requests
   and server responses.

7. Integration

   In order to support integration with current and future versions of
   HTTP, and to provide extendibility and independence of development,
   the secure services provided by WTS must be orthogonal to and
   independent of other services provided by HTTP.









Bossert, et. al.             Informational
< Previous
Next >