Re: [http-auth] side meeting on Wednesday, March 30
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 28 March 2011 17:36 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@core3.amsl.com
Delivered-To: http-auth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D29928B56A for <http-auth@core3.amsl.com>; Mon, 28 Mar 2011 10:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+BtyAVoL68b for <http-auth@core3.amsl.com>; Mon, 28 Mar 2011 10:36:12 -0700 (PDT)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id BDAB23A6948 for <http-auth@ietf.org>; Mon, 28 Mar 2011 10:36:11 -0700 (PDT)
Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id p2SHbbW6021957; Tue, 29 Mar 2011 02:37:37 +0900 (JST) env-from (y.oiwa@aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1301333858; bh=OmBDqqGLA0BE1bPXkO6I/gHNqdySjBAK1H9tEelzmW4=; h=Message-ID:Date:From; b=GDtEC2eZg+z10tvDiOE8LkUb4UfOWFPhQPdZTFrmZDEI6Qrq2Nls//UPczVscZi5Y oQBofEh16sb9h+ocOt2mAa8JTvGFTnJW2LV/mHrqOd/6URXNPogUUOOPtfeOPg1NrS SIoY1fPvNpLpJUuMDjBooVIFiILIlTRQ1kPArWtk=
Received: from smtp3.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id p2SHba7f004078; Tue, 29 Mar 2011 02:37:36 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Received: by smtp3.aist.go.jp with ESMTP id p2SHbWsQ021853; Tue, 29 Mar 2011 02:37:33 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Message-ID: <4D90C75A.1040004@aist.go.jp>
Date: Tue, 29 Mar 2011 02:37:30 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: "http-auth@ietf.org" <http-auth@ietf.org>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [http-auth] side meeting on Wednesday, March 30
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 17:36:13 -0000
Dear all, I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III. My current plan for the side meeting is to mutually know each other's face by meeting face-to-face, and to share the problem space which is broken now and which is to be fixed by our future working group (hopefully). The important point here is that the solutions must be not only implementable to the HTTP client/server, but also deployable and usable by Web applications. I believe this is the most problematic point of current largely-unused solutions including TLS client certificate authentication. I will prepare a small presentation which will describe *my* view of what should be done. Your opinions and views are very welcome. Also, I am waiting of inputs for the possible future agenda quoted below. See you, Yutaka -------- Original Message -------- Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline Monday/Possible W3C Workshop? Date: Mon, 31 Jan 2011 20:54:37 +0900 From: Yutaka OIWA <y.oiwa@aist.go.jp> To: Harry Halpin <hhalpin@w3.org> CC: http-auth@ietf.org Dear Harry and all, "Harry Halpin" <hhalpin@w3.org> writes: > Another idea would be to hold an informal bar-BOF at Prague if the BOF > can't be put together quickly enough as a bar-BOF would require less work > and give us more time to bake the tech ideas or charter. I'll leave this > decision in the hands of more experienced IETF folks. In both ways, anyway, we will need a good-direction proposal and agenda. It is hard for me to write a "good" one, but I made a "bad" :-) one as a starting point. Please consider it for improvements and rephrasing. Thanks Harry for providing a very good descriptions which I've used as a staring point. * Things to consider: - agenda not yet written - goal: currently ambiguous (intentionally); to discuss, or to form WG? -------- Description: The current authentication methods used in the Web system is prone to various serious vulnerabilities, including password eavesdropping, password stealing, session hijack, and phishing. Because of the lack of a good/secure support for web application authentication in the HTTP layer, people tends to use HTML forms for authentication, which are by nature insecure. This problem should be solved as soon as possible to mitigate the impact of Web authentication-related frauds to the Internet users. However, to solve this problem, the resulting technologies should be carefully designed so that these will be well deployable to the real-world applications. Recently we have several new proposals for securing Web/HTTP authentications, some of which has a proposed drafts. In addition, the work of the HTTPBIS working group is about to finish, and it will require some maintenance works for the HTTP existing authentication mechanism, at least the registrations to IANA. The purpose of the proposed BoF is to pursue creation of IETF working groups on various HTTP authentication issues. The possible topics of the future working group may include the following topics: * Introduction of much more secure authentication mechanisms as extensions to the HTTP. * Introduction of technologies which will enable more sophisticated use of HTTP authentication in application layer. * Research on the secure ways of Web/HTML authentications and required protocol-side support for them * Maintenance of existing HTTP authentication extensions (other than Basic and Digest), either checking its httpbis-conforming or making it historic. * Proposing addition of authentication schemes to the IANA registry as proposed by httpbis. Both BoF and possible future working group expect well coordination with W3C's effort on the related topics. BoF proposed agenda: * Topics to be discussed in the future working group * TBD Logistical informations: BoF Chairs: TBD BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD) People expected: 50 Length of session: 90min Conflicts to avoid: Working Groups in the APP and SEC areas WebEX: no Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative) Goal: to pursue creation of IETF working groups Drafts: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more to be discussed Mailing List: HTTP http-auth mailing list Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/ -------- -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Harry Halpin
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA