[http-auth] [httpauth] Mutual authentication proposal
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 04 June 2012 14:28 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 083C721F8881 for <http-auth@ietfa.amsl.com>; Mon, 4 Jun 2012 07:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.977
X-Spam-Level:
X-Spam-Status: No, score=-7.977 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0dthKxsrhF5e for <http-auth@ietfa.amsl.com>; Mon, 4 Jun 2012 07:28:17 -0700 (PDT)
Received: from na3sys010aog108.obsmtp.com (na3sys010aog108.obsmtp.com [74.125.245.84]) by ietfa.amsl.com (Postfix) with ESMTP id 9CC9621F887B for <http-auth@ietf.org>; Mon, 4 Jun 2012 07:28:16 -0700 (PDT)
Received: from mail-pz0-f51.google.com ([209.85.210.51]) (using TLSv1) by na3sys010aob108.postini.com ([74.125.244.12]) with SMTP ID DSNKT8zGAHtCbEXaKgAfRA2f7KGDIiafXAx3@postini.com; Mon, 04 Jun 2012 07:28:16 PDT
Received: by dajt11 with SMTP id t11so7111153daj.38 for <http-auth@ietf.org>; Mon, 04 Jun 2012 07:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=v3GafOP6fL96VBXamPc/taM6wYq8e2ZbDV4GugWD4gI=; b=E7L0SY49vnRbvBbQblVFy+llr+0rY0/zC2l6qskQjWAHu+ZIOAfbVcmhEFVTkTlCz0 NqhVPERRCZVa7SvwsaQVvJTMPfDsQGTjUtcnBjxOtb4ixkQjo2E3lFnhBF0SbPYwToL3 6FCVK3Qczb6Vs2ztouxftTi+ip880GVEgnz0A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding:x-gm-message-state; bh=v3GafOP6fL96VBXamPc/taM6wYq8e2ZbDV4GugWD4gI=; b=jHeHDiAeXonVycljHSGU79xK3joPtOBLkS/JndcHKhcmqvvdTEajJP0GRUpkj3VMA1 LDohSIcEuSghKK9NTNn2jtkjRhUEWBjrigVR6nYT1BATevvnyfUrp4q7I45Lrrd7KsZp LXEXVBPaHEFNnTk80KXJJdSCTRmAMlj7QG65oM0fongYF4KjGMysDuFDz9or/iXDLvpM m7tiGIXGU9y7wUv215KMieHAUMpvQ2bloGPVeDcE2Da252Qj2CiR/eauXfkmOt+kb/wp bXTpSMXv3EDu71x8Fpb43FRXalg/QfwZoP+ws3YGq5EOH+55scpPNw613HEx6vlVWPKy WNTw==
Received: by 10.68.227.67 with SMTP id ry3mr14110584pbc.158.1338820095459; Mon, 04 Jun 2012 07:28:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.66.42.83 with HTTP; Mon, 4 Jun 2012 07:27:55 -0700 (PDT)
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Mon, 04 Jun 2012 23:27:55 +0900
Message-ID: <CAMeZVwuGYZqoZOH1hvc=-YWFKUizjMJmj+=c3ZkgswdYYP3pxw@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkO4tWwvYaRWZEKRBqFoSQjJd5bZfXO8UqmiOkXQqWCrzMSK7Yqgvxz52f44uFzHGtZ9Y34
Subject: [http-auth] [httpauth] Mutual authentication proposal
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2012 14:28:18 -0000
Dear all, with a few corrections from the May-21st draft, I submitted the HTTP Mutual authentication draft as an httpbis proposal. The proposal consists of two parts: <http://www.ietf.org/id/draft-oiwa-httpbis-mutualauth-00.txt> is the core proposal for HTTP Mutual authentication, using RFC 2617 architecture. <http://www.ietf.org/id/draft-oiwa-httpbis-auth-extension-00.txt> is the important companion draft for generic extensions which makes HTTP authentication useful again with many Web applications. The proposal is (both documents are) HTTP/1.1 compatible, and as far as core HTTP request/response semantics are kept, it should work with future HTTP/2.0, too. I will set up wiki pages for these around tomorrow or so. It will include information on available reference implementations, some more introductions and so on. I hope you will enjoy the proposed solution. Following previous suggestions on http-auth, crypto primitive choices are kept for future discussions. One of primitive candidates, which is now for an "example" or "reference" purpose, is available as an "individual" draft at <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-algo-02>. To implement the core proposal now, please refer this, too. P. S. I also incremented the individual draft revisions for book-keeping purpose. (One of these depends on the revision numbers embedded to the protocol). Contents of these are exactly the same as httpbis-proposed versions. -- Yutaka OIWA, Ph.D. Leader, Software Reliability Research Group Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [http-auth] [httpauth] Mutual authentication prop… Yutaka OIWA
- Re: [http-auth] [httpauth] Mutual authentication … Yutaka OIWA
- Re: [http-auth] [httpauth] Mutual authentication … Yutaka OIWA