W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

From: Dave Raggett <dsr@w3.org>
Date: Mon, 13 Dec 2010 10:17:34 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Jan Camenisch <jca@zurich.ibm.com>
Message-ID: <1292235454.20343.122.camel@ivy>
And let's not ignore secure privacy enhancing technologies like
anonymous credentials and zero knowledge proofs, see e.g:

http://www.w3.org/QA/2010/11/boosting_privacy_online_-_anon.html

It is often sufficient to know that someone is a member of a group or
has certain attributes rather than knowing exactly who that person is. 

Perhaps we could add to SASL the notion of secure anonymous access for
authenticated access?  This involves the client generating and passing a
proof to the server that satisfies the proof specification and nonce
provided by the server.

[ Jan, see http://datatracker.ietf.org/wg/kitten/charter/ ]

n.b. this work was carried out with support from the European PrimeLife
project on privacy and identity, see http://www.primelife.eu/

On Sun, 2010-12-12 at 14:39 -0800, Roy T. Fielding wrote:
> On Dec 12, 2010, at 10:40 AM, Alexey Melnikov wrote:
> 
> > Yoav Nir wrote:
> > 
> >> EAP has one advantage. It is easy to integrate with existing
> RADIUS/DIAMETER infrastructure.
> >> 
> > True.
> > And SASL has an advantage that it is easier to integrate with LDAP
> infrastructure.
> > 
> > I think this just demonstrates that before an HTTP authentication
> mechanism can be evaluated, people need to agree on a common
> evaluation criteria for HTTP authentication.
> 
> Define them all and let's have a bake-off.  It has been 16 years since
> HTTP auth was taken out of our hands so that the security experts could
> define something perfect.  Zero progress so far.  We should just define
> everything and let the security experts do what they do best -- find the
> holes and tell us what not to implement.
> 
> ....Roy
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
> 

-- 
 Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
Received on Monday, 13 December 2010 10:18:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT