HTTP-AUTH BoF Wednesday afternoon Yoav Nir and Derek Atkins Minutes by Paul Hoffman Not repeating stuff on the slides, mostly catching the discussion Problem statement - Yoav Lots of problems listed Eric Rescorla (Ekr): Clients can log off by rebooting Servers can log off with cookies Oiwa: Cookies can be used to log in and out Justin Richer: Question of what is and is not "logoff" This isn't session management; it's just repeating stuff Mark Nottingham: Making HTTP authentication better is a good target Don't try to fix Web authentication; beyond our abilities Henrik Levkovetz: Session concept is more important Can't put a link on a web page to have the user log out Wants to be able the log out from a web site Julian Reschke: Can't close IE 10 on Metro Ekr: Massive difference between fixing Web authentication and HTTP-Auth Phill Hallman-Baker: We don't define what we mean as authentication Could be getting a credential, could mean actually logging in Only one belongs at HTTP layer We can change HTTP so that it talks to other layers better Henrik: Phill makes sense. Ekr's view is unconstructive Sam Harman: Cares about things smaller than Web authentication Yoav: Get your own BoF Mark: There were non-obvious requirements for Web authentication Major players are not here This is a more important discussion than presentations Lots of people agree with the last item Sean Turner: Getting the scope is hard Goal is to get a bunch of experimental documents out there Derek: This is a BoF, not a WG HOBA - draft-farrell-httpbis-hoba - Stephen Farrell Ekr: Why does this exist? It can already be done. Stephen: Why hasn't it been done already? Richard Barnes: This doesn't have continuity Jeff Hodges: This isn't about passwords being kept on the server side This is waiting for WebCrypto from W3C Hannes Tschofenig: People can just do it, doesn't need standardization Different understanding of which problems are needed to be fixed Phill: Wrote a draft that says you need a continuation mechanism Symmetric crypto is better for continuation mechanism Paul Leach: Could be done with large unique per-site password Phil Hunt: Will be key management issues with multiple devices Good for session continuance HTTP Mutual auth - Yutaka OIWA No questions / Comments Multilegged Auth for HTTP/2.0 - dra>-montenegro-h6pbis-multilegged-auth - Gabriel Montenegro Jeff: "Multiple round trips" should be used instead of multi-legged Nico Williams: Suggesting to put state into the protocol. Are we still saying HTTP is stateless? Gabriel: Is putting this into a layer Yukata: Not all proposals need this mechanism Only needed for things like NTML and so Gabriel: Wants to prevent them from being shut out of this world Leif Johansson: Had a draft a while ago. Need to deal with proxies: non-trivial Need some content replication between servers More to state handling than just cookies May want to have TLS channel bindings Paul L: Shows a reasonable effort This is good way to not need to change stacks Leif: It is not always clear that you can separate the session identifier from the session identifier Salted Challenge Response (SCRAM) HTTP Authenication Mechanism - draft-melnikov-httpbis-scram-auth - Alexey Melnikov Ekr: How does this map to the web authentication case? Alexey: Typical is two round trips Yukata: I already invented something like this RESTful Authentication - draft-williams-http-rest-auth - Nico Jeff: Proposed something else that used SASL over HTTP, and it was implemented Sam: Maybe we should look at gluing HTTP to the application layer Nico: Adds a session header Paul L: This can be done in Javascript with cookies Nico: It would work with all TLS; works with TLS Unique but not others Yukata: Similar to OAuth with a MAC added Nico: Really doesn't care what mechanism they want to use Works fine with ZKP proofs Charter discussion How many people would be willing to do work that does not standarize but does experimental: 20-30 Feels like should not be formed: 0 Cullen Jennings: Really bad idea to have RFCs with lots of ideas Ekr: Is this vanity publishing idea? Wants us to do one thing instead of five Yoav: If we had one thing to do, it would have been done by httpbis Phill: Solutions with privacy cause a problem Nico: Maybe new name for RFC that is experimental If that's the only issue, fix that Yoav: Anyone can get an RFC with or without us. This is for better review. Sam: All proposals today could get RFCs. This is about better quality, it is worth taking the time to make them better Jim Fenton: Different proposals had different goals in mind What are we trying to accomplish? Different goals make it hard to decide if this is a good idea Joe Hildebrand: The IETF doesn't do well at research-like explorations Feels like you are chartering people to wander around in the desert Peter St. Andrew: No proposal to make the efforts talk to each other Ekr: There is a valuable something here Web authentication space is full of stuff The idea that what we will do will be picked up is divorced from reality Hannes: Wants to hold a workshop There are some real identity problems Some directions don't require any changes to HTTP Auth Leif: A set of toolbox proposals (multi-legged, ...) Doesn't have to be experimental Paul L: Concerned about the method for "better" Can make things better but not worthwhile That definition will be the thing that makes people want to work together Stephen: You always get pushback because Web auth Starting something gets some good starting points Phill: Difference between web browsers and web services Are people willing to use parts? Hannes: Should have a use cases document and why the existing mechanisms don't fit their needs Yoav: HTTP is in the browser Sam: Cover other use cases for HTTP Jeff: Likes that Spencer Dawkins: Will this work cause other people to look at these documents Barry Leiba: Would expect WG to have rough consensus that a particular document is worthwhile to publish Also need to convince one AD to publish Peter: If we are calling this as experiments, do real experiments Some people clapped Gabriel: Two types of potential outcomes: What we have heard today as experimental; baby steps on standards track Ekr: Maybe send this to the IRTF Stephen disagrees