HTTP authentication: the next generation

Is it time to start thinking about next-generation authentication
technologies for HTTP?

We all know that BASIC and DIGEST are ancient and crufty and lacking
many features and security properties we might want, but there hasn't
been much discussion about more modern approaches. Here are a few things
I've found:

1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt

2. In 2007, Robert Sayre put together a few slides on the topic:
http://people.mozilla.com/~sayrer/2007/auth.html

3. Yutaka Oiwa and his colleagues have been working on a protocol for
mutual auth: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08

Other than that, I'm not aware of much activity. What have I missed?
Does it make sense to perhaps hold an exploratory BoF at the next IETF
meeting (Prague, March 2011) to get people thinking about this topic?

If you're interested, please discuss on the http-auth@ietf.org list:

https://www.ietf.org/mailman/listinfo/http-auth

Thanks!

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

Received on Friday, 10 December 2010 22:54:29 UTC