Re: [apps-discuss] [http-auth] HTTP-Auth BoF in Quebec City Postponed

Yoav Nir <ynir@checkpoint.com> Sun, 24 July 2011 19:28 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63EF921F8AEA; Sun, 24 Jul 2011 12:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.438
X-Spam-Level:
X-Spam-Status: No, score=-10.438 tagged_above=-999 required=5 tests=[AWL=0.161, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xn-2g7raZCS; Sun, 24 Jul 2011 12:28:32 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB6E21F8AEC; Sun, 24 Jul 2011 12:28:30 -0700 (PDT)
X-CheckPoint: {4E2C7FF6-7-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p6OJSS1Q019872; Sun, 24 Jul 2011 22:28:28 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 24 Jul 2011 22:28:28 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "http-auth@ietf.org" <http-auth@ietf.org>
Date: Sun, 24 Jul 2011 22:28:26 +0300
Thread-Topic: [http-auth] HTTP-Auth BoF in Quebec City Postponed
Thread-Index: AcxKN91vdUxZLA9RQZ2riV+CEgkXsw==
Message-ID: <234F16BC-9875-474B-95B3-D61E8BE5A6E0@checkpoint.com>
References: <5FA6AD59-7570-4A85-B6D1-3DC8E42688F1@mnot.net>
In-Reply-To: <5FA6AD59-7570-4A85-B6D1-3DC8E42688F1@mnot.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; boundary="Apple-Mail-4-368541076"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 25 Jul 2011 10:09:30 -0700
Cc: "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] [http-auth] HTTP-Auth BoF in Quebec City Postponed
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2011 19:28:33 -0000

Hi.

Would the people interested in http-auth like to hold an informal meeting sometime during the week?

If we don't want to have future BoFs canceled again, we should have a more clear definition of what problem we are trying to solve.

The first thing is to define what is bad in the current situation. I think we've seen two claims about this:
- Authentication to a web site means sending a password in the clear to some web site that may or may not be the correct site.
- A website that requires log-ins has to either store passwords or password verifiers. A compromise of that database is disastrous, because users re-use passwords for other sites.

After deciding which issue we would like to address, we can decide if the direction we would like to take is a more secure password protocol, or whether we would like to go to some solution that does away with passwords altogether.  I think there has been some meaningful discussion on the mailing list, but I don't see those discussions converging.

Do you think meeting face-to-face can help us move forward?

Yoav