- From: Paul Hoffman <paul.hoffman@gmail.com>
- Date: Mon, 16 Jul 2012 13:49:49 -0700
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Greetings again. Stephen Farrell and I teamed up on the -01 for draft-farrell-httpbis-hoba. It has some major changes that might interest this WG as we decide which authentication mechanism(s) to adopt for HTTP 2. The proposed mechanism has changed from "TLS inside of HTTP" to a simple challenge-response with a signed response. Also, we propose using a .well-known URL scheme for the authentication assistance features such as sign-up and logout. We retain the basic property that this is an alternative to using passwords. --Paul Hoffman A new version of I-D, draft-farrell-httpbis-hoba-01.txt has been successfully submitted by Paul Hoffman and posted to the IETF repository. Filename: draft-farrell-httpbis-hoba Revision: 01 Title: HTTP Origin-Bound Authentication (HOBA) Creation date: 2012-07-16 WG ID: Individual Submission Number of pages: 11 URL: http://www.ietf.org/internet-drafts/draft-farrell-httpbis-hoba-01.txt Status: http://datatracker.ietf.org/doc/draft-farrell-httpbis-hoba Htmlized: http://tools.ietf.org/html/draft-farrell-httpbis-hoba-01 Diff: http://tools.ietf.org/rfcdiff?url2=draft-farrell-httpbis-hoba-01 Abstract: HTTP Origin-Bound Authentication (HOBA) is an HTTP authentication method with credentials that are not vulnerable to simple phishing attacks, and that does not require a server-side password database. It is an alternative to HTTP authentication that requires passwords and all the negative attributes that come with password-based systems. HOBA can be integrated with account management and other applications running over HTTP and supports portability, so a user can associate more than one device or origin-bound certificate with the same service. HOBA has many other useful features such as a mechanism to handle state-loss if one of a user's credentials is lost and a logout mechanism.
Received on Monday, 16 July 2012 20:50:16 UTC