- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Thu, 24 Dec 2009 20:28:46 +0900
- To: apps-discuss@ietf.org, public-web-security@w3.org
- Cc: ietf-http-wg@w3.org, ietf-http-auth@osafoundation.org
Dear people on IETF apps-discuss/public-web-security mailing lists and other related lists, I would like to introduce our proposal on HTTP mutual authentication. (I directed the Reply-to: header to the newly-created public-web-security mailing list, but I also welcome private replies or those to other lists.) Our proposal brings a strong, password-based mutual authentication to the HTTP authentication protocol. Our aims are to overcome several deficiencies (both for security and usability) on current HTTP authentication mechanisms, and to replace weak form-based authentication, which are used in most current Web apps, with stronger HTTP protocol-supported authentications. We designed the protocol so that (a) it removes any threats related to password/secret stealing like phishing or other attacks, (b) it will be extremely easy-to-use, and (c) it can accept many Web applications which were not well-supported with current HTTP authentication architecture (in RFC 2617). We believe that this is a correct direction for the future of the Web application authentication. Our proposed draft spec is available from <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05>. We put a preprint paper on our concept at ArXiv <http://arxiv.org/abs/0911.5230>, and a presentation in a past httpbis WG is also available from <http://tools.ietf.org/agenda/74/slides/httpbis-3.pdf>, I appreciate your reading and comments on those documents. Furthermore, we have published a running code of the protocol implementation for Mozilla Firefox, available from <https://bugzilla.mozilla.org/show_bug.cgi?id=532127>. A pre-compiled binary, server-side implementations and running demonstration are available in our website <https://www.rcis.aist.go.jp/special/MutualAuth/index-en.html>. I noticed that the registration for IETF 77 at Anaheim is now open. I would like to have a meet-up of people related to general HTTP authentication issues/proposals at Anaheim. I have been told from Lisa that there will be several HTTP-related WGs and BoFs expected in Anaheim, and I think there will be a good opportunity for us to meet up. If you have any good ideas, please let me know. Have nice holidays, register for IETF 77 and see you in Anaheim! -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
Received on Thursday, 24 December 2009 11:30:23 UTC