For those at IETF 80 interested in HTTP and authentication, there will be a side meeting on Wednesday night for more in-depth discussion than will be possible during the SAAG session on Thursday. Logistics are 20:00 in Karlin II/III. Further details below... -------- Original Message -------- Subject: Re: [http-auth] side meeting on Wednesday, March 30 Date: Tue, 29 Mar 2011 02:37:30 +0900 From: Yutaka OIWA <y.oiwa@xxxxxxxxxx> To: http-auth@xxxxxxxx <http-auth@xxxxxxxx> Dear all, I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III. My current plan for the side meeting is to mutually know each other's face by meeting face-to-face, and to share the problem space which is broken now and which is to be fixed by our future working group (hopefully). The important point here is that the solutions must be not only implementable to the HTTP client/server, but also deployable and usable by Web applications. I believe this is the most problematic point of current largely-unused solutions including TLS client certificate authentication. I will prepare a small presentation which will describe *my* view of what should be done. Your opinions and views are very welcome. Also, I am waiting of inputs for the possible future agenda quoted below. See you, Yutaka -------- Original Message -------- Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline Monday/Possible W3C Workshop? Date: Mon, 31 Jan 2011 20:54:37 +0900 From: Yutaka OIWA <y.oiwa@xxxxxxxxxx> To: Harry Halpin <hhalpin@xxxxxx> CC: http-auth@xxxxxxxx Dear Harry and all, "Harry Halpin" <hhalpin@xxxxxx> writes: > Another idea would be to hold an informal bar-BOF at Prague if the BOF > can't be put together quickly enough as a bar-BOF would require less work > and give us more time to bake the tech ideas or charter. I'll leave this > decision in the hands of more experienced IETF folks. In both ways, anyway, we will need a good-direction proposal and agenda. It is hard for me to write a "good" one, but I made a "bad" :-) one as a starting point. Please consider it for improvements and rephrasing. Thanks Harry for providing a very good descriptions which I've used as a staring point. * Things to consider: - agenda not yet written - goal: currently ambiguous (intentionally); to discuss, or to form WG? -------- Description: The current authentication methods used in the Web system is prone to various serious vulnerabilities, including password eavesdropping, password stealing, session hijack, and phishing. Because of the lack of a good/secure support for web application authentication in the HTTP layer, people tends to use HTML forms for authentication, which are by nature insecure. This problem should be solved as soon as possible to mitigate the impact of Web authentication-related frauds to the Internet users. However, to solve this problem, the resulting technologies should be carefully designed so that these will be well deployable to the real-world applications. Recently we have several new proposals for securing Web/HTTP authentications, some of which has a proposed drafts. In addition, the work of the HTTPBIS working group is about to finish, and it will require some maintenance works for the HTTP existing authentication mechanism, at least the registrations to IANA. The purpose of the proposed BoF is to pursue creation of IETF working groups on various HTTP authentication issues. The possible topics of the future working group may include the following topics: * Introduction of much more secure authentication mechanisms as extensions to the HTTP. * Introduction of technologies which will enable more sophisticated use of HTTP authentication in application layer. * Research on the secure ways of Web/HTML authentications and required protocol-side support for them * Maintenance of existing HTTP authentication extensions (other than Basic and Digest), either checking its httpbis-conforming or making it historic. * Proposing addition of authentication schemes to the IANA registry as proposed by httpbis. Both BoF and possible future working group expect well coordination with W3C's effort on the related topics. BoF proposed agenda: * Topics to be discussed in the future working group * TBD Logistical informations: BoF Chairs: TBD BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD) People expected: 50 Length of session: 90min Conflicts to avoid: Working Groups in the APP and SEC areas WebEX: no Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative) Goal: to pursue creation of IETF working groups Drafts: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more to be discussed Mailing List: HTTP http-auth mailing list Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/ -------- -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@xxxxxxxxxx>, <yutaka@xxxxxxx> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] _______________________________________________ http-auth mailing list http-auth@xxxxxxxx https://www.ietf.org/mailman/listinfo/http-auth
<<attachment: smime.p7s>>
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf