Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Dave Raggett <dsr@w3.org> Mon, 13 December 2010 10:16 UTC

Return-Path: <dsr@w3.org>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8CA3E28C0DD; Mon, 13 Dec 2010 02:16:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1QhYXMl8RCJH; Mon, 13 Dec 2010 02:16:16 -0800 (PST)
Received: from lewis.sophia.w3.org (gw.sophia.w3.org [193.51.208.72]) by core3.amsl.com (Postfix) with ESMTP id 55D863A6CF3; Mon, 13 Dec 2010 02:16:16 -0800 (PST)
Received: from dsl-217-155-168-222.zen.co.uk ([217.155.168.222] helo=[192.168.1.3]) by lewis.sophia.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <dsr@w3.org>) id 1PS5TJ-0003FO-IJ; Mon, 13 Dec 2010 10:17:33 +0000
From: Dave Raggett <dsr@w3.org>
To: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <2230EA03-32C5-4D34-BC6B-304E813BE3A7@gbiv.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <2230EA03-32C5-4D34-BC6B-304E813BE3A7@gbiv.com>
Content-Type: text/plain; charset="UTF-8"
Organization: W3C
Date: Mon, 13 Dec 2010 10:17:34 +0000
Message-ID: <1292235454.20343.122.camel@ivy>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Mon, 13 Dec 2010 09:50:10 -0800
Cc: Jan Camenisch <jca@zurich.ibm.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 10:16:17 -0000

And let's not ignore secure privacy enhancing technologies like
anonymous credentials and zero knowledge proofs, see e.g:

http://www.w3.org/QA/2010/11/boosting_privacy_online_-_anon.html

It is often sufficient to know that someone is a member of a group or
has certain attributes rather than knowing exactly who that person is. 

Perhaps we could add to SASL the notion of secure anonymous access for
authenticated access?  This involves the client generating and passing a
proof to the server that satisfies the proof specification and nonce
provided by the server.

[ Jan, see http://datatracker.ietf.org/wg/kitten/charter/ ]

n.b. this work was carried out with support from the European PrimeLife
project on privacy and identity, see http://www.primelife.eu/

On Sun, 2010-12-12 at 14:39 -0800, Roy T. Fielding wrote:
> On Dec 12, 2010, at 10:40 AM, Alexey Melnikov wrote:
> 
> > Yoav Nir wrote:
> > 
> >> EAP has one advantage. It is easy to integrate with existing
> RADIUS/DIAMETER infrastructure.
> >> 
> > True.
> > And SASL has an advantage that it is easier to integrate with LDAP
> infrastructure.
> > 
> > I think this just demonstrates that before an HTTP authentication
> mechanism can be evaluated, people need to agree on a common
> evaluation criteria for HTTP authentication.
> 
> Define them all and let's have a bake-off.  It has been 16 years since
> HTTP auth was taken out of our hands so that the security experts could
> define something perfect.  Zero progress so far.  We should just define
> everything and let the security experts do what they do best -- find the
> holes and tell us what not to implement.
> 
> ....Roy
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
> 

-- 
 Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett