Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline Monday/Possible W3C Workshop?
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 31 January 2011 11:51 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@core3.amsl.com
Delivered-To: http-auth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3ABA83A6900 for <http-auth@core3.amsl.com>; Mon, 31 Jan 2011 03:51:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wf29tuXZ-wRf for <http-auth@core3.amsl.com>; Mon, 31 Jan 2011 03:51:26 -0800 (PST)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id C46723A68A7 for <http-auth@ietf.org>; Mon, 31 Jan 2011 03:51:25 -0800 (PST)
Received: from rqsmtp2.aist.go.jp (rqsmtp2.aist.go.jp [150.29.254.123]) by mx1.aist.go.jp with ESMTP id p0VBsbXp000410; Mon, 31 Jan 2011 20:54:37 +0900 (JST) env-from (y.oiwa@aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1296474878; bh=GzI+2tCUeNAB9vQmy8oPXXI0kIppboWIJT8QIBTVyis=; h=From:Date:Message-ID; b=LIbfvNyv5aWxqplPpcWmiGOt9HdcLXhC2V/GoP7gUHbDWvTBFwGIBtw1FyLFijGmq A4V8vzrvhOmRtDwgzYE35OYo101IGRIc+yIYred/maVC2FyN7R9/irBGHBWOJXrAYg YRJt7rx6WjFI6asSEbF6ixAbzBS5naIbHr50EBjU=
Received: from smtp2.aist.go.jp by rqsmtp2.aist.go.jp with ESMTP id p0VBsbcD023072; Mon, 31 Jan 2011 20:54:37 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Received: by smtp2.aist.go.jp with ESMTP id p0VBsbUm000723; Mon, 31 Jan 2011 20:54:37 +0900 (JST) env-from (y.oiwa@aist.go.jp)
To: Harry Halpin <hhalpin@w3.org>
References: <1c2bbcf25744cc1b9a8627f2a9bd66a3.squirrel@webmail-mit.w3.org> <4D4670CF.7060301@aist.go.jp> <abc33601a820ad6566c33b8f81129f17.squirrel@webmail-mit.w3.org>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Mon, 31 Jan 2011 20:54:37 +0900
In-Reply-To: <abc33601a820ad6566c33b8f81129f17.squirrel@webmail-mit.w3.org> (Harry Halpin's message of "Mon\, 31 Jan 2011 10\:45\:12 -0000 \(GMT\)")
Message-ID: <87pqrd5lvm.fsf@bluewind.rcis.aist.go.jp>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: http-auth@ietf.org
Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline Monday/Possible W3C Workshop?
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2011 11:51:28 -0000
Dear Harry and all, "Harry Halpin" <hhalpin@w3.org> writes: > Another idea would be to hold an informal bar-BOF at Prague if the BOF > can't be put together quickly enough as a bar-BOF would require less work > and give us more time to bake the tech ideas or charter. I'll leave this > decision in the hands of more experienced IETF folks. In both ways, anyway, we will need a good-direction proposal and agenda. It is hard for me to write a "good" one, but I made a "bad" :-) one as a starting point. Please consider it for improvements and rephrasing. Thanks Harry for providing a very good descriptions which I've used as a staring point. * Things to consider: - agenda not yet written - goal: currently ambiguous (intentionally); to discuss, or to form WG? -------- Description: The current authentication methods used in the Web system is prone to various serious vulnerabilities, including password eavesdropping, password stealing, session hijack, and phishing. Because of the lack of a good/secure support for web application authentication in the HTTP layer, people tends to use HTML forms for authentication, which are by nature insecure. This problem should be solved as soon as possible to mitigate the impact of Web authentication-related frauds to the Internet users. However, to solve this problem, the resulting technologies should be carefully designed so that these will be well deployable to the real-world applications. Recently we have several new proposals for securing Web/HTTP authentications, some of which has a proposed drafts. In addition, the work of the HTTPBIS working group is about to finish, and it will require some maintenance works for the HTTP existing authentication mechanism, at least the registrations to IANA. The purpose of the proposed BoF is to pursue creation of IETF working groups on various HTTP authentication issues. The possible topics of the future working group may include the following topics: * Introduction of much more secure authentication mechanisms as extensions to the HTTP. * Introduction of technologies which will enable more sophisticated use of HTTP authentication in application layer. * Research on the secure ways of Web/HTML authentications and required protocol-side support for them * Maintenance of existing HTTP authentication extensions (other than Basic and Digest), either checking its httpbis-conforming or making it historic. * Proposing addition of authentication schemes to the IANA registry as proposed by httpbis. Both BoF and possible future working group expect well coordination with W3C's effort on the related topics. BoF proposed agenda: * Topics to be discussed in the future working group * TBD Logistical informations: BoF Chairs: TBD BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD) People expected: 50 Length of session: 90min Conflicts to avoid: Working Groups in the APP and SEC areas WebEX: no Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative) Goal: to pursue creation of IETF working groups Drafts: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more to be discussed Mailing List: HTTP http-auth mailing list Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/ -------- -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Harry Halpin
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Yoav Nir
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Yutaka OIWA
- [http-auth] HTTP Auth Next BOF at IETF Prague dea… Harry Halpin
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Yutaka OIWA
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Harry Halpin
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Yutaka OIWA
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Peter Saint-Andre
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Peter Saint-Andre
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Yutaka OIWA
- Re: [http-auth] HTTP Auth Next BOF at IETF Prague… Yoav Nir