W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 24 Dec 2009 20:28:46 +0900
To: apps-discuss@ietf.org, public-web-security@w3.org
Cc: ietf-http-wg@w3.org, ietf-http-auth@osafoundation.org
Message-ID: <87skb0lifl.fsf@bluewind.rcis.aist.go.jp>
Dear people on IETF apps-discuss/public-web-security mailing lists
and other related lists,

I would like to introduce our proposal on HTTP mutual authentication.

 (I directed the Reply-to: header to the newly-created
  public-web-security mailing list, but I also welcome private replies
  or those to other lists.)

Our proposal brings a strong, password-based mutual authentication
to the HTTP authentication protocol.
Our aims are to overcome several deficiencies (both for security and usability)
on current HTTP authentication mechanisms, and to replace weak form-based
authentication, which are used in most current Web apps, with 
stronger HTTP protocol-supported authentications.
We designed the protocol so that (a) it removes any threats related to
password/secret stealing like phishing or other attacks, (b) it will be
extremely easy-to-use, and (c) it can accept many Web applications
which were not well-supported with current HTTP authentication
architecture (in RFC 2617).
We believe that this is a correct direction for the future of 
the Web application authentication.

Our proposed draft spec is available from
   <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05>.
We put a preprint paper on our concept at ArXiv 
   <http://arxiv.org/abs/0911.5230>,
and a presentation in a past httpbis WG is also available from
   <http://tools.ietf.org/agenda/74/slides/httpbis-3.pdf>,
I appreciate your reading and comments on those documents.

Furthermore, we have published a running code of the protocol
implementation for Mozilla Firefox, available from
   <https://bugzilla.mozilla.org/show_bug.cgi?id=532127>.
A pre-compiled binary, server-side implementations and running demonstration
are available in our website
   <https://www.rcis.aist.go.jp/special/MutualAuth/index-en.html>.


I noticed that the registration for IETF 77 at Anaheim is now open.
I would like to have a meet-up of people related to general HTTP
authentication issues/proposals at Anaheim.
I have been told from Lisa that there will be several HTTP-related
WGs and BoFs expected in Anaheim, and I think there will be a good 
opportunity for us to meet up.  If you have any good ideas, please let me know.

Have nice holidays, register for IETF 77 and see you in Anaheim!

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Friday, 25 December 2009 08:01:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT