W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 24 Dec 2009 20:28:46 +0900
To: apps-discuss@ietf.org, public-web-security@w3.org
Cc: ietf-http-wg@w3.org, ietf-http-auth@osafoundation.org
Message-ID: <87skb0lifl.fsf@bluewind.rcis.aist.go.jp>
Dear people on IETF apps-discuss/public-web-security mailing lists
and other related lists,

I would like to introduce our proposal on HTTP mutual authentication.

 (I directed the Reply-to: header to the newly-created
  public-web-security mailing list, but I also welcome private replies
  or those to other lists.)

Our proposal brings a strong, password-based mutual authentication
to the HTTP authentication protocol.
Our aims are to overcome several deficiencies (both for security and usability)
on current HTTP authentication mechanisms, and to replace weak form-based
authentication, which are used in most current Web apps, with 
stronger HTTP protocol-supported authentications.
We designed the protocol so that (a) it removes any threats related to
password/secret stealing like phishing or other attacks, (b) it will be
extremely easy-to-use, and (c) it can accept many Web applications
which were not well-supported with current HTTP authentication
architecture (in RFC 2617).
We believe that this is a correct direction for the future of 
the Web application authentication.

Our proposed draft spec is available from
We put a preprint paper on our concept at ArXiv 
and a presentation in a past httpbis WG is also available from
I appreciate your reading and comments on those documents.

Furthermore, we have published a running code of the protocol
implementation for Mozilla Firefox, available from
A pre-compiled binary, server-side implementations and running demonstration
are available in our website

I noticed that the registration for IETF 77 at Anaheim is now open.
I would like to have a meet-up of people related to general HTTP
authentication issues/proposals at Anaheim.
I have been told from Lisa that there will be several HTTP-related
WGs and BoFs expected in Anaheim, and I think there will be a good 
opportunity for us to meet up.  If you have any good ideas, please let me know.

Have nice holidays, register for IETF 77 and see you in Anaheim!

Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Friday, 25 December 2009 08:01:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC