Re: [apps-discuss] [http-auth] HTTP-Auth BoF in Quebec City Postponed

Yoav Nir <> Sun, 24 July 2011 19:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 63EF921F8AEA; Sun, 24 Jul 2011 12:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.438
X-Spam-Status: No, score=-10.438 tagged_above=-999 required=5 tests=[AWL=0.161, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1xn-2g7raZCS; Sun, 24 Jul 2011 12:28:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8CB6E21F8AEC; Sun, 24 Jul 2011 12:28:30 -0700 (PDT)
X-CheckPoint: {4E2C7FF6-7-1B221DC2-FFFF}
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id p6OJSS1Q019872; Sun, 24 Jul 2011 22:28:28 +0300
Received: from ([]) by ([]) with mapi; Sun, 24 Jul 2011 22:28:28 +0300
From: Yoav Nir <>
To: "" <>
Date: Sun, 24 Jul 2011 22:28:26 +0300
Thread-Topic: [http-auth] HTTP-Auth BoF in Quebec City Postponed
Thread-Index: AcxKN91vdUxZLA9RQZ2riV+CEgkXsw==
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
acceptlanguage: en-US
Content-Type: multipart/signed; boundary="Apple-Mail-4-368541076"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 25 Jul 2011 10:09:30 -0700
Cc: " Discuss" <>
Subject: Re: [apps-discuss] [http-auth] HTTP-Auth BoF in Quebec City Postponed
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jul 2011 19:28:33 -0000


Would the people interested in http-auth like to hold an informal meeting sometime during the week?

If we don't want to have future BoFs canceled again, we should have a more clear definition of what problem we are trying to solve.

The first thing is to define what is bad in the current situation. I think we've seen two claims about this:
- Authentication to a web site means sending a password in the clear to some web site that may or may not be the correct site.
- A website that requires log-ins has to either store passwords or password verifiers. A compromise of that database is disastrous, because users re-use passwords for other sites.

After deciding which issue we would like to address, we can decide if the direction we would like to take is a more secure password protocol, or whether we would like to go to some solution that does away with passwords altogether.  I think there has been some meaningful discussion on the mailing list, but I don't see those discussions converging.

Do you think meeting face-to-face can help us move forward?