- From: Alexey Melnikov <alexey.melnikov@isode.com>
- Date: Tue, 31 Jul 2007 17:37:21 -0600
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Thanks to Ted Hardie for scribing in Jabber during the BOF and to RL 'Bob' Morgan for taking notes. Below are the notes produced by Bob, slightly edited by me. Please send me any corrections before August 9th. ============= call to order 9AM introduction by Mark Nottingham: httpbis: why are we here HTTP: more uses, more add-ons, more user agents all the time many issues with 2616, new developers are trying to second guess what is in the spec Review of draft-lafon-2616bis by Yves Lafon. two previous attempts to revise 2616 discussion on ietf-http-wg@w3.org list start on 2616bis from new XML, with issues collected by Jim Gettys 24 issues closed, 47 active comment: closed only in sense of these drafts if official activity starts, all would be open again could be considered "design team" as input to WG kinds of issues: references, whitespace, caching, security comment: errata doc has some official standing question: is the work described official W3C activity? answer: no official W3C activity exist at the moment the joint WG, way back when, used IETF process Review of http authentication mechanisms by Robert Sayre, Mozilla http://people.mozilla.com/~sayrer/2007/auth.html security, resource control, affinity almost all authentication in practice uses forms and cookies, why? site control over presentation, support for i18n, password control, logout, scalable problems need HTML rendering, ad hoc credential format, credentials are just data XSS/CSRF vulnerable mixed security messages 2617 provides framework, but little used in comparison Basic passwords in clear credentials must be sent in every request, no sessions Digest does have session support? complex spec, only simple modes implemented dictionary attacks possible migration from old authentications databases can be tricky enables DoS attacks various other schemes: OpenID, etc passwords are still passwords HTTP and cookies, Yngve Petterson, Opera cookie scope can be a problem in deeper domains site can set cookie which will be read by administratively distant server, possibly with bad effects various methods try to limit scope clients make guesses about relationship of DNS domains comment: problem is that users want cookies to go to some other servers don't want them to go to some other servers logout some sites want logout to destroy cache history no builtin behavior in clients, HTTP session solution associate URLs with named context add other stuff to context, eg cookies, credentials server- or timeout-controlled expiration of context draft-petterson-* drafts on this ETag on PUT issues, Cyrus Daboo, Apple what does strong ETag returned on PUT mean? clients don't know, so have to do a GET after a PUT to check CalDAV and AtomPub have conflicting definitions proposal: draft-reschke-http-etag-on-write-07 question: is it needed to specify one thing in 2616bis? or should different HTTP-based protocols go their own way? question: is it just that ETag is underspecified, needs replacement? answer: maybe comments from chat room about differing interpretations of etag ontology discussion of proposed WG start with scope meta-discussion ... proposed only to clarify, remove brokenness might lead to suggestions for improvements in future work eliot: concern that authentication improvement might need base changes so have to consider that when revising 2616, don't want to revise it twice sam: don't want to pressure new authentication work to fit clarification timing lisa: don't want this work to be individual effort has to be transparent process for large constituency, including consensus-assessment W3C doing usable-security work, depending on IETF for standard process to clarify: indivual work is very desirable, but as input to process paul hoffman: have to make sure extensibility in RFC 2617 supports any required authentication changes mark: extensibility is actually good, but misunderstood, so it should be clarified sam: talk about specific authentication proposals current proposals live within existing extensibility alexey: so should 2617 revisions be in scope of WG? cyrus: propose 3 docs: framework, Basic, Digest alexey: we might chose to permit scope refinement, eg only framework in scope robert sayer: not much evidence of success with MTI authentication in IETF new mechanisms will take many years to deploy propose implementations of competing security proposals prior to writing docs phb: basic should be removed from 2617bis digest is obsolete, should be replaced with SAML/WS-* jeff h: support development of effective new authentication solution sam: digest is actually useful, don't ditch it, but don't spend lots of time revising it clarifications OK, framework doc OK jeff h: also look at non-use of 2817 (upgrade to TLS) as issue phb: password, reauthentication separable cookies not good enough for authentication state management mark: interest in having actual charter discussion? (most in room raise hands, perhaps 40) mark: include 2617? eliot: ask for at least weak dependency ordering eg, make 2616bis closing dependent on authentication clarification michael richardson: ask again why no TLS upgrade (RFC 2817) use in real world jeff h: can just keep authentication issues in mind, without solving in charter chris newman: keep authentication considerations in scope for 2616bis work, but don't put in strict dependency paul h: many modern IETF charters include "out of scope" sections as a response to scope creep but can lead to more confusion, people bet on future work so shouldn't have "no new features" in charter alexey: should discourage new features, not prohibit michael richardson: need to clarify "unwritten rules" too people care about progression on standards track robert sayer: if new authentication mechanisms are backward-compatible, shouldn't imply any dependency on 2616 changes, right? lisa: need something in charter stating authentication dependency? eliot: don't need it bob morgan: do need it, else won't affect WG practice leif: does authentication include layers like TLS? sam: yes mark: proposal on table is 2616bis doc and "security properties of HTTP" doc to satisfy MTI authn discussion sam: is second doc informational? mark: intention is BCP paul hoffman: strongly suggest authentication document not be BCP, just informational mark: show of hands, informational? (30 hands, none opposed) chris newman: need to get HTTP/SSL on standards track, not informational mark: in the charter? chris newman: sure (as participant) alexey: should https/2818bis work be in authentication WG due to channel bindings? chris newman: they're separable ted hardie: may have to modify 2817 also to fix 2818 (or 2617?) john klensin: have to clean this mess up! (he was AD who started the HTTP WG) mark: how many people think that authentication work should not happen in httpbis WG? (30 hands up; none opposed) phb: do need glue between http and authentication work though leif: as long as doing things with headers, can happen elsewhere john klensin: security work should be driven by app reality, not by security theory and guided by IESG, not at mike lisa: who would do revisions but not authentication? (5 hands?) who would do authentication and not revisions? (15 hands) who would do both? (5 hands) lisa: hard to draw lines between different areas of work haven't yet seen the end of specific proposals, so hard to know mark: work on authentication is scary, may scare people away from WG chris newman: trying to move Digest forward on standards track would kill group focus on 2616 revisions, give some latitude, give chairs control john klensin: need a roadmap for the work prior to "creating a WG" and decision by relevant ADs on WGs after that ted hardie: are there volunteers for roadmap effort? john klensin: can't volunteer ... ted hardie: we're trying to avoid ratholes here, doing well having "requirements for extensibility" in charter is big rathole, so please remove it mark: larry masinter suggested those words ... harald: remove "security properties" item from this charter suggest moving concern about authentication elsewhere lisa: hands? (10 agree, 5 disagree. Sam disagrees) sam: would really like to see the properties doc happen lisa: who can live with that item remaining? sam: can live with leaving sec properties out of charter paul hoffman: security properties sounds like a great individual doc chris newman: this item was my suggestion, would like to see it lisa: who would work (write/read) on the sec properties doc? (8 or so hands) lisa: work on cookies? (5 hands) should be in charter? (5 hands) not in charter? (no hands?) lisa: see support on revising 2965 as in scope, but not blocking mark: everyone uses the Netscape doc, not 2965 harald: is this consistent with no new features? michael richardson: yes, make what people are doing with cookies real RFC alexey: there is an alternative proposal that restructures 2616 consider this as WG input? kurt z: does this matter to WG formation? alexey: some wanted to rule that approach out of scope robert sayer: that doc might compete well with the IETF doc, so it is better to have its proponents in the IETF WG harald: leave it to WG to decide alexey: incremental rev? (8 hands) big rewrite? (no hands) need to see proposal first? (10 hands) so "need to see" seems to win john klensin: can't have "rewrite completely", "guaranteed no big changes" and "fast" at the same time ted hardie: agree barry leiba: leave change style to editor of document alexey: may have to decide between competing approaches mark: still open questions on 2617, 2965, sec properties so we'll take that to the list
Received on Wednesday, 1 August 2007 09:22:08 UTC