Network Working Group G. Bossert Request for Comments: 2084 S. Cooper
Category: Informational Silicon Graphics Inc.W. Drummond IEEE, Inc. January 1997
This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
In this document, we specify the requirements for WTS, with the intent of codifying perceived Internet-wide needs, along with existing practice, in a way that aids in the evaluation and development of such protocols.
WTS is an enhancement to an object transport protocol. As such, it does not provide independent certification of documents or other data objects outside of the scope of the transfer of said objects. In addition, security at the WTS layer is independent of and orthogonal to security services provided at underlying network layers. It is envisioned that WTS may coexist in a single transaction with such mechanisms, each providing security services at the appropriate level, with at worst some redundancy of service.
Transaction: A complete HTTP action, consisting of a request from the client and a response from the server.
Gatewayed Service: A service accessed, via HTTP or an alternate protocol, by the HTTP server on behalf of the client.
Mechanism: An specific implementation of a protocol or related subset of features of a protocol.
o Confidentiality of the HTTP request and/or response. o Data origin authentication and data integrity of the HTTP request and/or response. o Non-repudiability of origin for the request and/or response. o Transmission freshness of request and/or response. o Ease of integration with other features of HTTP. o Support of multiple mechanisms for the above services.
WTS should support the authentication of the origin HTTP server or gatewayed services regardless of intermediary proxy or caching servers.
To allow user privacy, WTS must support service authentication with user anonymity.
Because the identity of the object being requested is potentially sensitive, service authentication should occur before any part of the request, including the URI of the requested object, is passed. In cases where the authentication process depends on the URI (or other header data) of the request, such as gatewayed services, the minimum necessary information to identify the entity to be authenticated should be passed.
WTS should support the authentication of the client to gatewayed services.
WTS should support the authentication of the client to the origin HTTP server regardless of intermediary proxy servers.
In accordance with the layered model of network protocols, WTS must be:
o independent of the content or nature of data objects being transported although special attention to reference integrity of hyperlinked objects may be appropriate
o implementable over a variety of connection schemes and underlying transport protocols
o Accommodation of variations in site policies, including those due to external restrictions on the availability of cryptographic technologies.
o Support for a variety of applications and gatewayed services.
o Support for parallel implementations within and across administrative domains.
o Accomodation of application-specific performance/security tradeoffs.
To allow interoperability across domains, and to support the transition to new/upgraded mechanisms, WTS should provide negotiation of authentication and encryption mechanisms.
[2] G. Bossert, S. Cooper, W. Drummond. "Requirements of Secure Object Transfer Protocols", Work in Progress <URL:http://www-ns.rutgers.edu/www-security/draft/ draft-rutgers-sotp-requirements-00.txt>, March 1995.
The revision history of this document can be located at <URL:http://reality.sgi.com/csp/wts-wg/wts-documents.html>
Eric Rescorla of Terisa <ekr@terisa.com> provided valuable comments on an early draft of a document called "Requirements of Secure Object Transfer" [2], a principal influence on this document.
Simon Cooper Silicon Graphics, Inc. MS 15-7 2011 North Shoreline Blvd. Mountain View, CA 94043-1389 USA
Walt Drummond Institute of Electrical and Electronics Engineers, Inc. 445 Hoes Lane Piscataway, NJ 08855-1331 USA
Phone: 908-562-6545 Fax: 908-562-1727 EMail: drummond@ieee.org