The Concealed HTTP Authentication Scheme
RFC 9729, “The Concealed HTTP Authentication Scheme”, is a Proposed Standard document published in February 2025 by D. Schinazi, D. Oliver, J. Hoyland. The canonical text is published by the RFC Editor.
Abstract
Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes; however, that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. Prior to this document, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document defines a new non-probeable cryptographic authentication scheme.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9729 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9728 OAuth 2.0 Protected Resource Metadata
- RFC 9730 Interworking of GMPLS Control and Centralized Controller Systems
- RFC 9731 A YANG Data Model for Virtual Network Operations
- RFC 9727 api-catalog: A Well-Known URI and Link Relation to Help Discovery of APIs
- RFC 9732 A Framework for NRP-Based Enhanced Virtual Private Networks
- RFC 9726 Operational Considerations for Use of DNS in Internet of Things Devices
- RFC 9733 BRSKI with Alternative Enrollment
- RFC 9725 WebRTC-HTTP Ingestion Protocol