RFC 2084 (rfc2084) - Page 3 of 6
Considerations for Web Transaction Security
Alternative Format: Original Text Document
RFC 2084 Considerations for Web Transaction Security January 1997
4. Service Authentication
WTS should support the authentication of gatewayed services to the
client.
WTS should support the authentication of the origin HTTP server or
gatewayed services regardless of intermediary proxy or caching
servers.
To allow user privacy, WTS must support service authentication with
user anonymity.
Because the identity of the object being requested is potentially
sensitive, service authentication should occur before any part of the
request, including the URI of the requested object, is passed. In
cases where the authentication process depends on the URI (or other
header data) of the request, such as gatewayed services, the minimum
necessary information to identify the entity to be authenticated
should be passed.
5. User Authentication
WTS must support the authentication of the client to the server.
WTS should support the authentication of the client to gatewayed
services.
WTS should support the authentication of the client to the origin
HTTP server regardless of intermediary proxy servers.
6. Integrity
WTS must provide assurance of the integrity of the HTTP transaction,
including the HTTP headers and data objects of both client requests
and server responses.
7. Integration
In order to support integration with current and future versions of
HTTP, and to provide extendibility and independence of development,
the secure services provided by WTS must be orthogonal to and
independent of other services provided by HTTP.
Bossert, et. al. Informational