Re: [httpauth] Mutual authentication proposal

On 05.06.2012 02:27, Yutaka OIWA wrote:
> Dear all,
>
> with a few corrections from the May-21st draft,
> I submitted the HTTP Mutual authentication draft as an httpbis 
> proposal.
>
> The proposal consists of two parts:
>
> <http://www.ietf.org/id/draft-oiwa-httpbis-mutualauth-00.txt>
> is the core proposal for HTTP Mutual authentication,
> using RFC 2617 architecture.
>
> <http://www.ietf.org/id/draft-oiwa-httpbis-auth-extension-00.txt>
> is the important companion draft for generic extensions
> which makes HTTP authentication useful again with
> many Web applications.
>
> The proposal is (both documents are) HTTP/1.1 compatible, and
> as far as core HTTP request/response semantics are kept,
> it should work with future HTTP/2.0, too.
>
> I will set up wiki pages for these around tomorrow or so.
> It will include information on available reference implementations,
> some more introductions and so on.
> I hope you will enjoy the proposed solution.
>
> Following previous suggestions on http-auth, crypto primitive choices
> are kept for future discussions.  One of primitive candidates,
> which is now for an "example" or "reference" purpose,
> is available as an "individual" draft at
> <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-algo-02>.
> To implement the core proposal now, please refer this, too.
>
>
> P. S.
> I also incremented the individual draft revisions for book-keeping 
> purpose.
> (One of these depends on the revision numbers embedded to the 
> protocol).
> Contents of these are exactly the same as httpbis-proposed versions.


This seems much clearer than the earlier drafts. Thank you.

I think all those SHOULD statements about algorithm safety and choice 
in the section 11 second paragraph (under bullet list) are relevant for 
repeating in "Security Considerations" or as a separate sub-section from 
11 outlining required considerations on extension algorithms defined by 
other documents.

AYJ

Received on Tuesday, 5 June 2012 00:44:31 UTC