[apps-discuss] HTTP authentication: the next generation

Peter Saint-Andre <stpeter@stpeter.im> Fri, 10 December 2010 22:52 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 8E28328C160; Fri, 10 Dec 2010 14:52:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id pooBEj5tHnYh; Fri, 10 Dec 2010 14:52:27 -0800 (PST)
Received: from stpeter.im (stpeter.im []) by core3.amsl.com (Postfix) with ESMTP id 5CB8428C0F3; Fri, 10 Dec 2010 14:52:24 -0800 (PST)
Received: from dhcp-64-101-72-173.cisco.com (dhcp-64-101-72-173.cisco.com []) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 69D59400F6; Fri, 10 Dec 2010 16:05:59 -0700 (MST)
Message-ID: <4D02AF81.6000907@stpeter.im>
Date: Fri, 10 Dec 2010 15:53:53 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: http-auth@ietf.org
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010603010501000706070400"
Cc: "kitten@ietf.org" <kitten@ietf.org>, websec@ietf.org, saag@ietf.org, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: [apps-discuss] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 22:52:28 -0000

Is it time to start thinking about next-generation authentication
technologies for HTTP?

We all know that BASIC and DIGEST are ancient and crufty and lacking
many features and security properties we might want, but there hasn't
been much discussion about more modern approaches. Here are a few things
I've found:

1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt

2. In 2007, Robert Sayre put together a few slides on the topic:

3. Yutaka Oiwa and his colleagues have been working on a protocol for
mutual auth: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08

Other than that, I'm not aware of much activity. What have I missed?
Does it make sense to perhaps hold an exploratory BoF at the next IETF
meeting (Prague, March 2011) to get people thinking about this topic?

If you're interested, please discuss on the http-auth@ietf.org list:




Peter Saint-Andre