IETF Logo Mail Archive

[http-auth] drafty http-auth wg charter

Sean Turner <turners@ieca.com> Thu, 13 September 2012 19:28 UTC

Return-Path: <turners@ieca.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A76BA21F84D2 for <http-auth@ietfa.amsl.com>; Thu, 13 Sep 2012 12:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.362
X-Spam-Level:
X-Spam-Status: No, score=-101.362 tagged_above=-999 required=5 tests=[AWL=-0.586, BAYES_05=-1.11, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DRYCV1JWA0Vz for <http-auth@ietfa.amsl.com>; Thu, 13 Sep 2012 12:28:08 -0700 (PDT)
Received: from gateway14.websitewelcome.com (gateway14.websitewelcome.com [67.18.82.11]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE3021F84D1 for <http-auth@ietf.org>; Thu, 13 Sep 2012 12:28:08 -0700 (PDT)
Received: by gateway14.websitewelcome.com (Postfix, from userid 5007) id BB2CA7D499A3; Thu, 13 Sep 2012 14:28:07 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway14.websitewelcome.com (Postfix) with ESMTP id A271F7D49963 for <http-auth@ietf.org>; Thu, 13 Sep 2012 14:28:07 -0500 (CDT)
Received: from [108.18.174.220] (port=57257 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1TCF55-0001H1-11 for http-auth@ietf.org; Thu, 13 Sep 2012 14:28:07 -0500
Message-ID: <505233C6.1010000@ieca.com>
Date: Thu, 13 Sep 2012 15:28:06 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0
MIME-Version: 1.0
To: http-auth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.18.174.220]:57257
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 4
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: [http-auth] drafty http-auth wg charter
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2012 19:28:08 -0000

I'm glad to see there's some interest in an http-auth BOF.  With the 
deadlines fast approaching, I'd like jump start the charter discussions 
by providing a drafty wg charter.  Feel free to use this or not.

spt

--------

HTTP authentication [ref] is currently used for user authentication by 
some web sites. While form-based user authentication is currently much 
more commonly used, there is utility in providing better documentation 
for existing HTTP user authentication schemes that are in use, and for 
documenting experimental HTTP user authentication schemes that might 
offer security benefits for future uses.

The httpbis WG recently issued a call for proposals [ref] for HTTP 
authentication schemes as part of its work in further developing HTTP, 
including work on HTTP/2.0.  While a number of proposals were made, 
[ref] there is at present no consensus to adopt any of those as 
standards-track work items within the httpbis WG.

The http-auth WG will develop a set of informational or experimental 
RFCs for HTTP user authentication schemes that could, following 
experimentation, be widely adopted as standards-track schemes for HTTP 
user authentication.

All schemes to be developed in the http-auth WG must be usable with the 
existing HTTP authentication framework, [ref] or with evolutions of that 
framework as developed in the httpbis WG. That is, the evolution of the 
HTTP authentication framework is to be done in the httpbis WG and not in 
the http-auth WG.

However, the http-auth WG may document requirements for changes or 
additions to the HTTP authentication framework and any schemes developed 
in the http-auth WG that would benefit from such changes or additions to 
the HTTP authentication framework must document those changes or 
additions as an inherent part of their specifications. Any such schemes 
must however also be usable with the existing unmodified HTTP 
authentication framework.

The http-auth WG will work closely with the httpbis and tls WGs and the 
<<whatever>> WGs in W3C to ensure that the outcomes from the http-auth 
WG do not conflict with work done elsewhere.

The initial list of work items will be:

- <<the subset of the set of schemes that were proposed to
   the httpbis WG [ref] that survive the BoF>>

Adoption of additional work items will require a re-charter.

The following are out of scope:

- changes to HTTP
- changes to TLS
- definition of authentication mechanisms that do not work with
   the current HTTP authentication framework
- authentication of devices or components of web services (??)
   <<not sure about this bit, we don't want to boil any oceans,
   but maybe "just web sites" is too limiting?>>

Milestones:

- <<entirely dependent on the list of survivors>>

v2.23.0 | Report a Bug | By Email