W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 29 Dec 2009 15:50:28 +0900
To: =JeffH <Jeff.Hodges@KingsMountain.com>
Cc: oauth@ietf.org, apps-discuss@ietf.org, public-web-security@w3.org, ietf-http-auth@osafoundation.org, ietf-http-wg@w3.org
Message-ID: <874onal1e3.fsf@bluewind.rcis.aist.go.jp>
Dear Jeff,

[ Sorry again for one more cross-posting response for an important comment,
  And please edit the reply addresses whenever appropriate ]

(for people in OAuth ML: this is a reply to http://lists.w3.org/Archives/Public/ietf-http-wg/2009OctDec/0356.html)

=JeffH <Jeff.Hodges@KingsMountain.com> writes:

>Thanks for sending out this announcement regarding your on-going work. Having a 
>meetup of one form or another to discuss HTTP authentication will be useful.
> In regards of the working-group context though, I note that the feedback given 
> on your presentation at IETF-74 in SF was that it was likely that the 
> appropriate place to discuss this work would be the to-be-formed OAuth WG...
> Indeed, the OAuth WG has now formed 
> <http://www.ietf.org/dyn/wg/charter/oauth-charter.html> and its charter has 
> this note down towards the end..
>  > The Working Group will also define a generally applicable
>  > HTTP authentication mechanism (i.e., browser-based "2-leg"
>  > scenerio).
> So I respectfully suggest re-sending your message to <oauth@ietf.org> and 
> taking discussion there -- and for those interested folks to subscribe to 
> <oauth@ietf.org>.

Thank you very much for the important comment.

Yes, we were once suggested at San Francisco that we will be better
redirected to OAuth WG, and I also attended for OAuth WG there.
However, after that I felt getting lost between two WGs, because most
of discussions in OAuth ML and WG meeting are focused on the OAuth
related protocol only.  Moreover, most of discussions on
HTTP authentications (except OAuth) were still going on in httpbis ML.

I wanted to talk people at IETF meetings for this, because I was not
sure whether the redirection was accepted by the OAuth WG.  But as
there were no OAuth/httpbis WGs at Stockholm, we couldn't plan going there.
Then I talked personally at Apparea meeting at Hiroshima in Japan
(where we can go there easily and inexpensively :-)) and there I have
been suggested to first introduce our proposal to apps-discuss ML.
Coincidently, there comes a new mailing list well-suited for
discussing a general HTTP security matters at a very good
opportunity.  These are the reasons why I sent the previous mail to these
two MLs.  I also included http and http-auth MLs to the Cc list, 
because I had sent our proposal previously to these, and because
I thought that there might be people interested in generic HTTP
authentication issues.

I am still feeling unclear whether there is a consensus in the
people's mind whether the scope of OAuth WG really includes "generic"
HTTP authentication issues "unrelated to OAuth", because all contents
in the WG charter (except one sentence Jeff has mentioned) seems to me
only considering OAuth-related things.  These are mostly unchanged
from an older charter draft which had stated "generic HTTP auth is out
of scope".
In other words, I did read that sentence in the charter as
"to define OAuth-based 2-leg auth scheme generally applicable to HTTP",
considering other parts of the charter and other resources.
That's why I have hesitated to break in on OAuth WG with our proposal
without prior consent, and I will be happy if there will be a clear
statement on that.

Anyway, I will now forward my previous mail to the IETF OAuth ML, which
should have been included in the CC list.  I'll keep reading any MLs
I have mentioned, including OAuth.

# Please forgive me of late mail replies, as I am almost being drowned
# to surging waves of English mails (especially in httpbis MLs)...

I will of course attend all HTTP-related WGs at Anaheim, and I'm
looking forward to talking to people there.

Thanks again,

Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Tuesday, 29 December 2009 06:51:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC