Is it time to start thinking about next-generation authentication technologies for HTTP? We all know that BASIC and DIGEST are ancient and crufty and lacking many features and security properties we might want, but there hasn't been much discussion about more modern approaches. Here are a few things I've found: 1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt 2. In 2007, Robert Sayre put together a few slides on the topic: http://people.mozilla.com/~sayrer/2007/auth.html 3. Yutaka Oiwa and his colleagues have been working on a protocol for mutual auth: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08 Other than that, I'm not aware of much activity. What have I missed? Does it make sense to perhaps hold an exploratory BoF at the next IETF meeting (Prague, March 2011) to get people thinking about this topic? If you're interested, please discuss on the http-auth@ietf.org list: https://www.ietf.org/mailman/listinfo/http-auth Thanks! Peter -- Peter Saint-Andre https://stpeter.im/
Received on Friday, 10 December 2010 22:54:29 UTC