[dix] WAE BOF minutes (Final cut)

Pete Resnick <presnick@qualcomm.com> Tue, 15 August 2006 17:40 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD2tx-0004I2-B7; Tue, 15 Aug 2006 13:40:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD2tw-0004EZ-53 for dix@ietf.org; Tue, 15 Aug 2006 13:40:28 -0400
Received: from 216-43-25-66.ip.mcleodusa.net ([216.43.25.66] helo=episteme-software.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GD2tm-0002CP-AY; Tue, 15 Aug 2006 13:40:23 -0400
Received: from [216.43.25.67] (127.0.0.1) by episteme-software.com with ESMTP (EIMS X 3.3a1); Tue, 15 Aug 2006 12:40:15 -0500
Mime-Version: 1.0
X-Sender: resnick@resnick1.qualcomm.com
Message-Id: <p07000c0ec107b484f122@[216.43.25.67]>
In-Reply-To: <630749EE-9B10-4F84-A3DB-2D83C1D5C2DC@sxip.com>
References: <630749EE-9B10-4F84-A3DB-2D83C1D5C2DC@sxip.com>
X-Mailer: Eudora [Macintosh version 7.0a12]
Date: Tue, 15 Aug 2006 12:40:14 -0500
To: Digital Identity Exchange <dix@ietf.org>
From: Pete Resnick <presnick@qualcomm.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc: Digital Identity Exchange <dix@ietf.org>, IETF HTTP Auth <ietf-http-auth@lists.osafoundation.org>
Subject: [dix] WAE BOF minutes (Final cut)
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

Overdue time to send these in. Please make a last check before I send 
them and YELL QUICKLY if there are issues. I've incorporated Eliot's 
notes into Dick's and cleaned up a bit.

----

Web Authentication Enhancement BOF (WAE)
FRIDAY, July 14, 2006
0900-1130 Morning Session I
Room 519A

Chair: Pete Resnick
Minutes: Dick Hardt
(Additional Notes: Eliot Lear)

The meeting started off with the usual agenda review. Agenda was 
accepted as proposed.

The first item was Terminology.
Reading assignment: read RFC 2828
	Internet Security Glossary
	http://www.ietf.org/rfc/rfc2828.txt
Other Glossaries mentioned:
	Internet Security Glossary, Version 2
	http://www.ietf.org/internet-drafts/draft-shirey-secgloss-v2-04.txt

	SAMLv2: Glossary
	http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf

	"identity gang" lexicon
	http://identitygang.org/Lexicon


The next item was Problems we want to solve (see agenda)
A few things were added:
	- whitelisting
	- claim minimality
	- proof of server identity

Sam Hartman made his presentation, there were a few questions.

There was then additional discussion on Problems we want to solve.

Additional problems
	non-browsing HTTP support
	support for existing infrastructure
	Cross Application Credential (XAC)

There was a general concern that we could end up boiling the ocean.

Grouping of problems was then started.
Dick Hardt's slide was presented.

Ekr initially proposed grouping the problem up as:

EKR1: Non-insane replacement for HTTP digest
	- anti-phishing
	- passwords and other

EKR2: Cross-site identity
	- "Eliot's dad problem" (easily identify yourself to multiple 
sites), SSO

EKR3: Claim & Attribute Transferral

More detailed discussion on each problem then ensued:

EKR1: Fix HTTP Auth
AD questions to audience concluded with:
	- Liaise w/ W3C on GUI
	- Liaise w/ APWG
	- Layer / Arch TBD
	- can stand alone, but coordinate w/ EKR2 and EKR3
	EKR1 does not require EKR2

EKR2: Cross-site identifier
(Eliot's dad problem was broken off to be EKR4)
	- raw assertions of identity are easier to trust than attributes
	- name subordination
	- existing technology, but glue work
	Question: Is there glue work to be done by the IETF?
			- no one thinks there is no glue work, 15 
think there is, 15 are not sure
	12 ok on work if EKR1 not happening,

EKR3: Claim & Attribute Transferral
	- existing claims and syntaxes may be used
	- binds attribute assertions to underlying communication
	- not limited to HTTP
	Question: Is there glue work to be done here by the IETF?
	12 support, a couple object

EKR4:
	- eliot's dad problem
	part of EKR1 & EKR 2

There seem to be strong support for working on the EKR 1 and EKR 2, 
weak support for the EKR 3, and a general agreement that EKR 4 should 
not be forgotten, although it was unclear whether EKR 4 needed to be 
solved separately from EKR 1 and EKR 2.

There also seemed to be general agreement that we should focus our 
efforts on fixing HTTP browsing first, non-browsing second, and not 
worry about cross application credentials.

Lisa and the IESG now have to determine whether there should be 
another BoF, separate BoFs for separate working groups or to do 
something else. Work done by other organizations, such as W3C, also 
need to take into account and note needs to be taken of UI concerns.

Meeting concluded 15 minutes late.

-- 
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix