RFC 2084 (rfc2084) - Page 2 of 6
Considerations for Web Transaction Security
Alternative Format: Original Text Document
RFC 2084 Considerations for Web Transaction Security January 1997
WTS is an enhancement to an object transport protocol. As such, it
does not provide independent certification of documents or other data
objects outside of the scope of the transfer of said objects. In
addition, security at the WTS layer is independent of and orthogonal
to security services provided at underlying network layers. It is
envisioned that WTS may coexist in a single transaction with such
mechanisms, each providing security services at the appropriate
level, with at worst some redundancy of service.
1.1 Terminology
This following terms have specific meaning in the context of this
document. The HTTP specification [1] defines additional useful
terms.
Transaction:
A complete HTTP action, consisting of a request from the
client and a response from the server.
Gatewayed Service:
A service accessed, via HTTP or an alternate protocol, by the
HTTP server on behalf of the client.
Mechanism:
An specific implementation of a protocol or related subset of
features of a protocol.
2. General Requirements
WTS must define the following services. These services must be
provided independently of each other and support the needs of proxies
and intermediaries
o Confidentiality of the HTTP request and/or response.
o Data origin authentication and data integrity of the HTTP request
and/or response.
o Non-repudiability of origin for the request and/or response.
o Transmission freshness of request and/or response.
o Ease of integration with other features of HTTP.
o Support of multiple mechanisms for the above services.
3. Confidentiality
WTS must be able to provide confidentiality for both requests and
responses. Note: because the identity of the object being requested
is potentially sensitive, the URI of the request should be
confidential; this is particularly critical in the common case of
form data or other user input being passed in the URI.
Bossert, et. al. Informational