Web Authentication Enhancement BOF (WAE)
FRIDAY, July 14, 2006
0900-1130 Morning Session I
Room 519A

Chair: Pete Resnick
Minutes: Dick Hardt
(Additional Notes: Eliot Lear)

The meeting started off with the usual agenda review. Agenda was accepted as proposed.

The first item was Terminology.
Reading assignment: read RFC 2828
	Internet Security Glossary
	http://www.ietf.org/rfc/rfc2828.txt
Other Glossaries mentioned:
	Internet Security Glossary, Version 2
	http://www.ietf.org/internet-drafts/draft-shirey-secgloss-v2-04.txt

	SAMLv2: Glossary
	http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf

	"identity gang" lexicon
	http://identitygang.org/Lexicon


The next item was Problems we want to solve (see agenda)
A few things were added:
	- whitelisting
	- claim minimality
	- proof of server identity

Sam Hartman made his presentation, there were a few questions.

There was then additional discussion on Problems we want to solve.

Additional problems
	non-browsing HTTP support
	support for existing infrastructure
	Cross Application Credential (XAC)

There was a general concern that we could end up boiling the ocean.

Grouping of problems was then started.
Dick Hardt's slide was presented.

Ekr initially proposed grouping the problem up as:

EKR1: Non-insane replacement for HTTP digest
	- anti-phishing
	- passwords and other

EKR2: Cross-site identity
	- "Eliot's dad problem" (easily identify yourself to multiple sites), SSO

EKR3: Claim & Attribute Transferral

More detailed discussion on each problem then ensued:

EKR1: Fix HTTP Auth
AD questions to audience concluded with:
	- Liaise w/ W3C on GUI
	- Liaise w/ APWG
	- Layer / Arch TBD
	- can stand alone, but coordinate w/ EKR2 and EKR3
	EKR1 does not require EKR2

EKR2: Cross-site identifier
(Eliot's dad problem was broken off to be EKR4)
	- raw assertions of identity are easier to trust than attributes
	- name subordination
	- existing technology, but glue work
	Question: Is there glue work to be done by the IETF?
			- no one thinks there is no glue work, 15 think there is, 15 are not sure
	12 ok on work if EKR1 not happening,

EKR3: Claim & Attribute Transferral
	- existing claims and syntaxes may be used
	- binds attribute assertions to underlying communication
	- not limited to HTTP
	Question: Is there glue work to be done here by the IETF?
	12 support, a couple object

EKR4:
	- eliot's dad problem
	part of EKR1 & EKR 2

There seem to be strong support for working on the EKR 1 and EKR 2, weak support for the EKR 3, and a general agreement that EKR 4 should not be forgotten, although it was unclear whether EKR 4 needed to be solved separately from EKR 1 and EKR 2.

There also seemed to be general agreement that we should focus our efforts on fixing HTTP browsing first, non-browsing second, and not worry about cross application credentials.

Lisa and the IESG now have to determine whether there should be another BoF, separate BoFs for separate working groups or to do something else. Work done by other organizations, such as W3C, also need to take into account and note needs to be taken of UI concerns.

Meeting concluded 15 minutes late.