Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]

Henry Story wrote:
> On 1 Feb 2011, at 19:26, Peter Williams wrote:
> 
>> on ISSUE-19. SRP doesnt have much support because of patent licensing issues . But, its example does show the relevance of the extensibility point called the ClientHello - which contrasts with cert-based extensibility points. Rmeember, the client hello data is ultimately authenticated by the handshake, providing state machines are built correctly. it can be confidential, by the usual double handshake trick.
> 
> Good to know.

But you'll find that HTTP Mutual Auth [1] does have a lot of support in 
the IETF and security arenas, people are gathering around it as a good 
starting point to creating a practical transitioning solution in the 
domain of HTTP auth.

I'd /strongly/ suggest we start liaising with some of the experts in the 
IETF communities (somebody like Tim Morgan, security expert who 
understands the space well, author of [3], and often better known via 
[4]), and if possible get one or more of them in to this group in order 
to cover our security issues, make sure WebID compliments and plays 
nicely with the approach the IETF communities are taking, and 
potentially merge or layer the two.

What we're doing here, Web Identity and Auth, needs to be approached as 
if it will be the defacto ident/auth solution in a new web security and 
privacy model. The IETF communities, the Privacy communities, 
Device/Mobile communities, user agent vendors and others all need to 
converge here, not to create one tech, but to ensure a new suite of 
interoperable complimenting techs with a central security model is 
created and adopted.

Best,

Nathan

[1] http://www.rcis.aist.go.jp/special/MutualAuth/
[2] http://vsecurity.com/resources/tool
[3] 
http://vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
[4] http://sentinelchicken.org/

Received on Friday, 4 February 2011 01:39:03 UTC