Skip to content

Commit 26e7b7c

Browse files
author
ietf-corpus-bot
committed
auto-ingest: ietf-elements backfill — 233 new elements (2026-07-12)
1 parent f070da9 commit 26e7b7c

233 files changed

Lines changed: 2151 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9729
2+
kind: design-rationale
3+
summary: 'Authentication checks can introduce timing side-channels: an attacker can compare response timing for known-nonexistent resources versus potentially authenticated resources. Servers should slightly delay responses to some nonexistent resources to mask authentication verification time, but must avoid making the delay itself reveal that this mechanism is in use.'
4+
section: "6.4"
5+
topics:
6+
- http
7+
- security
8+
- privacy
9+
- measurement
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9729
2+
kind: design-rationale
3+
summary: Existing signature-based HTTP authentication schemes (e.g., HOBA) require the server to send a fresh nonce/challenge to the client, which reveals that authentication is expected. The Concealed scheme instead derives freshness from a TLS keying material exporter, allowing the server to never issue a challenge and thus remain non-probeable.
4+
section: "1"
5+
topics:
6+
- http
7+
- tls
8+
- security
9+
- privacy
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-9729
2+
kind: design-rationale
3+
summary: The 'a' parameter (public key included in the Authorization header) avoids key confusion issues identified in the 'Seems Legit' paper, where an attacker could trick a server into accepting a signature computed for a different key. The 'v' parameter similarly guards against signature schemes where certain keys can produce signatures valid for multiple inputs.
4+
section: "4.2"
5+
topics:
6+
- http
7+
- crypto
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9729
2+
kind: design-rationale
3+
summary: The static prefix (64 x 0x20 + context string + zero separator) prepended before signing mirrors the TLS 1.3 CertificateVerify construction. Its purpose is to mitigate issues that could arise if authentication keys were accidentally reused across protocols, even though such reuse is explicitly forbidden.
4+
section: "3.3"
5+
topics:
6+
- http
7+
- tls
8+
- crypto
9+
- security
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-9729
2+
kind: interoperability-note
3+
summary: The Concealed authentication scheme is only defined for HTTP over TLS, including HTTP/2 over TLS and HTTP/3 (where QUIC uses TLS for key exchange). It is not defined for cleartext HTTP.
4+
section: "7"
5+
topics:
6+
- http
7+
- tls
8+
- quic
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-12"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-9729
2+
kind: normative-requirement
3+
summary: Byte-sequence authentication parameter values MUST NOT include any characters other than ASCII letters, digits, dash, and underscore (base64url without padding). The integer parameter value MUST NOT include any characters other than digits and MUST NOT start with a zero unless the full value is '0'.
4+
section: "4"
5+
rfc2119_level: MUST NOT
6+
topics:
7+
- http
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9729
2+
kind: normative-requirement
3+
summary: Clients MUST NOT use the Concealed HTTP authentication scheme on connections that do not use TLS >= 1.3, or TLS 1.2 without the extended master secret extension (RFC 7627). If a server receives such a request, it MUST treat the authentication as not present.
4+
section: "7"
5+
rfc2119_level: MUST NOT
6+
topics:
7+
- http
8+
- tls
9+
- security
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9729
2+
kind: normative-requirement
3+
summary: For RSASSA-PSS algorithms, BER encodings of the public key that are not also DER MUST be rejected.
4+
section: 3.1.1
5+
rfc2119_level: MUST
6+
topics:
7+
- http
8+
- crypto
9+
- pkix
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-9729
2+
kind: normative-requirement
3+
summary: HTTP servers that parse the Concealed-Auth-Export header field MUST ignore it unless they have already established that they trust the sender. Frontends that send Concealed-Auth-Export MUST ensure they do not forward any Concealed-Auth-Export header field received from the client.
4+
section: "6.2"
5+
rfc2119_level: MUST
6+
topics:
7+
- http
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-12"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-9729
2+
kind: normative-requirement
3+
summary: If any of the backend's five validation checks fail (parameter parsing, key ID lookup, public key match, verification field match, or cryptographic signature), the backend MUST treat the request as if the Authorization (or Proxy-Authorization) header field was missing.
4+
section: "6.3"
5+
rfc2119_level: MUST
6+
topics:
7+
- http
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-12"

0 commit comments

Comments
 (0)