[http-auth] http-auth: Mutual - drafts updated
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 21 May 2012 11:09 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0069921F8587 for <http-auth@ietfa.amsl.com>; Mon, 21 May 2012 04:09:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.579
X-Spam-Level:
X-Spam-Status: No, score=-4.579 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, LOCALPART_IN_SUBJECT=2.02, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y49cxSYQ-KhD for <http-auth@ietfa.amsl.com>; Mon, 21 May 2012 04:09:04 -0700 (PDT)
Received: from na3sys010aog110.obsmtp.com (na3sys010aog110.obsmtp.com [74.125.245.88]) by ietfa.amsl.com (Postfix) with SMTP id 60DE021F859E for <http-auth@ietf.org>; Mon, 21 May 2012 04:09:03 -0700 (PDT)
Received: from mail-pz0-f43.google.com ([209.85.210.43]) (using TLSv1) by na3sys010aob110.postini.com ([74.125.244.12]) with SMTP ID DSNKT7oiTqGwTJj89bAkA9+xyBLwYnK7jHQ1@postini.com; Mon, 21 May 2012 04:09:03 PDT
Received: by dajz8 with SMTP id z8so6884241daj.2 for <http-auth@ietf.org>; Mon, 21 May 2012 04:09:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=message-id:date:from:user-agent:mime-version:to:cc:subject :x-enigmail-version:content-type:content-transfer-encoding; bh=qVB+QWaeraJNaUYkM2JrJGK+a2swEGXL7Enm63MiJig=; b=ZN76lMZjF736xMiZIzA1XluReBsWUdijX55qHXV3c4/4fzBKw/p69crjopxTu53zXy oG4O+II5u5GOrm3KeyV7dWiUnHkAoWqFi6OsMmGm2eJ2e9nOTYJiEmKJcQzDyeKzIc+7 F9dWxs18lSYd4q0LggQkQc9SVt+qtOptzE1NI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :x-enigmail-version:content-type:content-transfer-encoding :x-gm-message-state; bh=qVB+QWaeraJNaUYkM2JrJGK+a2swEGXL7Enm63MiJig=; b=n72MUJr6gEl581ykGBerriIrdWSUMO930Y/F9fmkHyqkU8qWhsGG40IL26i0qtvkEf 9X7ZD1Bl+SINHIlnsCUE54HQec5uwOb1gJgttS3JoXy4r8ZvOkdKMgm8x2rKL28mVgeD wJqMgkXdWwmMMPeoS89MJz8IGLxEI3Ln4QoEJHGxwHH2d95E2IUa0i6hiybD/y+AroTO +u2OydflnayA8WgXFKxEvMG3sppIPujjOusHzO6Fl8IPVr38z0TP6S5rFkP48X2VhYp5 krjN9TjVXSKuF8K2FJOwJs3v8ltWEA22vcNekyTPsRLHpJQClWupZ0pvpCNnmNaxfG94 uQFQ==
Received: by 10.68.189.198 with SMTP id gk6mr67602802pbc.31.1337598542070; Mon, 21 May 2012 04:09:02 -0700 (PDT)
Received: from [150.29.228.163] ([150.29.228.163]) by mx.google.com with ESMTPS id z2sm22773900pbv.34.2012.05.21.04.09.00 (version=SSLv3 cipher=OTHER); Mon, 21 May 2012 04:09:01 -0700 (PDT)
Message-ID: <4FBA224B.8080102@aist.go.jp>
Date: Mon, 21 May 2012 20:08:59 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: "http-auth@ietf.org" <http-auth@ietf.org>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQkvptczrBFaRzcQxJDQ8XRNIKrIzcnJiLyOg6ro32+px9pMDHGchRpQSrbS9lASMQF+HNMp
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Subject: [http-auth] http-auth: Mutual - drafts updated
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2012 11:09:05 -0000
Dear all, I have updated my three drafts related to the HTTP authentication: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-11 http://tools.ietf.org/html/draft-oiwa-http-mutualauth-algo-02 http://tools.ietf.org/html/draft-oiwa-http-auth-extension-01 The first one is the main draft introducing a cryptographic strong mutual authentication using weak secrets (i.e., password) to HTTP. Both password safety and the server-to-client authenticity assurance is the key features of the proposal. The second one is defining an example crypto algorithm for use with the above. The last one is a companion draft making a small but powerful enough (I believe so) semantic extensions to HTTP authentication, which can be used just like API calls from Web applications, so that it can support modern Web applications. This erases (or at least mitigates) many problems which prevent introduction of strong authentication to Web in a browser- (not content-)controlled manner. By the first proposal, we can replace Basic and Digest with stronger crypto-based authentications. Using both the first and the third, we can also introduce that strength to applications which currently use custom application-implemented authentications, too. I will add some use-case examples to the last draft soon, hopefully. I'll ask to Mark separately off-list for handling of second and third drafts under the prescribed procedure, then I'm going to submit the set as an httpbis auth candidate within a week or so. Appendix 1: main updates from the previous drafts: - extending stale session notification to more generic indications. - updated to follow the latest httpbis syntax conventions. Appendix 2: about crypto choices: In the previous side meetings, we have discussed that crypto choice discussions should be postponed for another appropriate time. We are still maintaining the second draft now, however, just because we need at least one choice for testing and evaluating implementations. So, if you have opinions about algorithm choices, please keep that in mind, and so do I. The title of the second draft has been renamed slightly to reflect that. -- Yutaka OIWA, Ph.D. Leader, Software Reliability Research Group Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [http-auth] http-auth: Mutual - drafts updated Yutaka OIWA