W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

FW: HTTP authentication side meeting

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Tue, 29 Mar 2011 00:41:41 +0200
Message-ID: <4D910EA5.5070804@stpeter.im>
To: IETF discussion list <ietf@ietf.org>, saag@ietf.org, websec@ietf.org, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
For those at IETF 80 interested in HTTP and authentication, there will
be a side meeting on Wednesday night for more in-depth discussion than
will be possible during the SAAG session on Thursday. Logistics are
20:00 in Karlin II/III. Further details below...

-------- Original Message --------
Subject: Re: [http-auth] side meeting on Wednesday, March 30
Date: Tue, 29 Mar 2011 02:37:30 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
To: http-auth@ietf.org <http-auth@ietf.org>

Dear all,

I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III.

My current plan for the side meeting is to mutually know each other's
face by
meeting face-to-face, and to share the problem space which is broken now and
which is to be fixed by our future working group (hopefully).
The important point here is that the solutions must be not only
implementable to
the HTTP client/server, but also deployable and usable by Web
applications. I
believe this is the most problematic point of current largely-unused
including TLS client certificate authentication.

I will prepare a small presentation which will describe *my* view of
what should
be done.  Your opinions and views are very welcome.
Also, I am waiting of inputs for the possible future agenda quoted below.

See you,


-------- Original Message --------
Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline
Monday/Possible W3C Workshop?
Date: Mon, 31 Jan 2011 20:54:37 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
To: Harry Halpin <hhalpin@w3.org>
CC: http-auth@ietf.org

Dear Harry and all,

"Harry Halpin" <hhalpin@w3.org> writes:

> Another idea would be to hold an informal bar-BOF at Prague if the BOF
> can't be put together quickly enough as a bar-BOF would require less work
> and give us more time to bake the tech ideas or charter. I'll leave this
> decision in the hands of more experienced IETF folks.

In both ways, anyway, we will need a good-direction proposal and
agenda.  It is hard for me to write a "good" one, but I made a "bad" :-)
one as a starting point.

Please consider it for improvements and rephrasing.  Thanks Harry for
providing a very good descriptions which I've used as a staring point.

 * Things to consider:

   - agenda not yet written
   - goal: currently ambiguous (intentionally); to discuss, or to form WG?


The current authentication methods used in the Web system is prone to
various serious vulnerabilities, including password eavesdropping,
password stealing, session hijack, and phishing.  Because of the lack
of a good/secure support for web application authentication in the
HTTP layer, people tends to use HTML forms for authentication, which
are by nature insecure.

This problem should be solved as soon as possible to mitigate the
impact of Web authentication-related frauds to the Internet
users. However, to solve this problem, the resulting technologies
should be carefully designed so that these will be well deployable to
the real-world applications.

Recently we have several new proposals for securing Web/HTTP
authentications, some of which has a proposed drafts.  In addition,
the work of the HTTPBIS working group is about to finish, and it will
require some maintenance works for the HTTP existing authentication
mechanism, at least the registrations to IANA.

The purpose of the proposed BoF is to pursue creation of IETF working
groups on various HTTP authentication issues.  The possible topics of
the future working group may include the following topics:

 * Introduction of much more secure authentication mechanisms as
   extensions to the HTTP.

 * Introduction of technologies which will enable more sophisticated
   use of HTTP authentication in application layer.

 * Research on the secure ways of Web/HTML authentications and
   required protocol-side support for them

 * Maintenance of existing HTTP authentication extensions (other than
   Basic and Digest), either checking its httpbis-conforming or making
   it historic.

 * Proposing addition of authentication schemes to the IANA registry
   as proposed by httpbis.

Both BoF and possible future working group expect well coordination with
W3C's effort on the related topics.

BoF proposed agenda:

 * Topics to be discussed in the future working group

 * TBD

Logistical informations:

BoF Chairs: TBD
BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD)
People expected: 50
Length of session: 90min
Conflicts to avoid: Working Groups in the APP and SEC areas
WebEX: no
Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative)
Goal: to pursue creation of IETF working groups
Drafts:  http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more
to be
Mailing List: HTTP http-auth mailing list
Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/

Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
http-auth mailing list

Received on Monday, 28 March 2011 22:42:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:56 UTC