I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.   These comments were written primarily for the benefit of the security area directors.   Document editors and WG chairs should treat these comments just like any other last call comments.   This is a fairly brief document: 18 pages including appendices. The Abstract says that this document “…defines the HTTP Authentication framework” but the Introduction expands the description, saying that it “ describes HTTP/1.1 access control and authentication.” I suggest the introduction be changed to match the abstract, especially since the principal focus of the document is authentication. There are several places where the term “authorization” is used. In many contexts, this term is a synonym for access control. However, in this context it seems to be used almost interchangeably with “authentication” in most places. I suspect the terminology choice arises for historical reasons, but it might be helpful to explicitly note this, where applicable.   The introduction says that it includes “the relevant parts of RFC 2616 with only minor changes ([RFC2616]), plus the general framework for HTTP authentication, as previously defined in "HTTP Authentication: Basic and Digest Access Authentication" ([RFC2617]).” The document updates RFC 2617, and obsoletes RFC 2616. It includes an appendix that describes the differences between this document and (the relevant portions) of 2616 and 2617.   I’m not sure whether the use of lowercase “ought” in four places in Section 2.3.1 is intended to express a new level of IETF standards compliance, perhaps filling the gap between MAY and SHOULD ;-) .   I like the fact that the Security Considerations section addresses implementation issues, since the document, overall, addresses security. Only two topics are discussed here, but both seem relevant. I am surprised that there is no mention of using HTTPS, to protect the most commonly used credentials, i.e., passwords.