Re: [http-auth] side meeting on Wednesday, March 30
Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 29 March 2011 12:07 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@core3.amsl.com
Delivered-To: http-auth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E74993A67B0 for <http-auth@core3.amsl.com>; Tue, 29 Mar 2011 05:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OR6k4kusLdT for <http-auth@core3.amsl.com>; Tue, 29 Mar 2011 05:07:16 -0700 (PDT)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id 876693A6784 for <http-auth@ietf.org>; Tue, 29 Mar 2011 05:07:16 -0700 (PDT)
Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id p2TC8pQv025748; Tue, 29 Mar 2011 21:08:51 +0900 (JST) env-from (y.oiwa@aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1301400532; bh=vDB4EgrUftFfS2thMbRO8T4MoT1zS9HtBpoEAV8jiTs=; h=Message-ID:Date:From; b=Q5RGL1dxW61+L6TbV2h5ou49oEOuI8ISQjujBIJkaRGVlIlAfbuG54L/9IamLRXkp BE8Ct8i6Tlpzn3Jm0AZHUq/uQuOHqIQAjsnQu/0Hq+/5JXpNkqiAT+moTxgnvyz9/G +7guPiHn2Ir4YGq9LZE5YcRnEEETGlkfK43ob3Jw=
Received: from smtp1.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id p2TC8o2E013060; Tue, 29 Mar 2011 21:08:50 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Received: by smtp1.aist.go.jp with ESMTP id p2TC8kgf020141; Tue, 29 Mar 2011 21:08:48 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Message-ID: <4D91CBCD.8080505@aist.go.jp>
Date: Tue, 29 Mar 2011 21:08:45 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4D90C75A.1040004@aist.go.jp> <4D91A549.4050107@stpeter.im>
In-Reply-To: <4D91A549.4050107@stpeter.im>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: http-auth@ietf.org
Subject: Re: [http-auth] side meeting on Wednesday, March 30
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 12:07:18 -0000
Yes, please give me a while. On 2011/03/29 18:24, Peter Saint-Andre wrote: > When you finish creating your slides, could you send them to the list? > > On 3/28/11 7:37 PM, Yutaka OIWA wrote: >> Dear all, >> >> I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III. >> >> My current plan for the side meeting is to mutually know each other's face by >> meeting face-to-face, and to share the problem space which is broken now and >> which is to be fixed by our future working group (hopefully). >> The important point here is that the solutions must be not only implementable to >> the HTTP client/server, but also deployable and usable by Web applications. I >> believe this is the most problematic point of current largely-unused solutions >> including TLS client certificate authentication. >> >> I will prepare a small presentation which will describe *my* view of what should >> be done. Your opinions and views are very welcome. >> Also, I am waiting of inputs for the possible future agenda quoted below. >> >> See you, >> >> Yutaka >> >> -------- Original Message -------- >> Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline >> Monday/Possible W3C Workshop? >> Date: Mon, 31 Jan 2011 20:54:37 +0900 >> From: Yutaka OIWA <y.oiwa@aist.go.jp> >> To: Harry Halpin <hhalpin@w3.org> >> CC: http-auth@ietf.org >> >> Dear Harry and all, >> >> "Harry Halpin" <hhalpin@w3.org> writes: >> >>> Another idea would be to hold an informal bar-BOF at Prague if the BOF >>> can't be put together quickly enough as a bar-BOF would require less work >>> and give us more time to bake the tech ideas or charter. I'll leave this >>> decision in the hands of more experienced IETF folks. >> >> In both ways, anyway, we will need a good-direction proposal and >> agenda. It is hard for me to write a "good" one, but I made a "bad" :-) >> one as a starting point. >> >> Please consider it for improvements and rephrasing. Thanks Harry for >> providing a very good descriptions which I've used as a staring point. >> >> * Things to consider: >> >> - agenda not yet written >> - goal: currently ambiguous (intentionally); to discuss, or to form WG? >> >> -------- >> Description: >> >> The current authentication methods used in the Web system is prone to >> various serious vulnerabilities, including password eavesdropping, >> password stealing, session hijack, and phishing. Because of the lack >> of a good/secure support for web application authentication in the >> HTTP layer, people tends to use HTML forms for authentication, which >> are by nature insecure. >> >> This problem should be solved as soon as possible to mitigate the >> impact of Web authentication-related frauds to the Internet >> users. However, to solve this problem, the resulting technologies >> should be carefully designed so that these will be well deployable to >> the real-world applications. >> >> Recently we have several new proposals for securing Web/HTTP >> authentications, some of which has a proposed drafts. In addition, >> the work of the HTTPBIS working group is about to finish, and it will >> require some maintenance works for the HTTP existing authentication >> mechanism, at least the registrations to IANA. >> >> The purpose of the proposed BoF is to pursue creation of IETF working >> groups on various HTTP authentication issues. The possible topics of >> the future working group may include the following topics: >> >> * Introduction of much more secure authentication mechanisms as >> extensions to the HTTP. >> >> * Introduction of technologies which will enable more sophisticated >> use of HTTP authentication in application layer. >> >> * Research on the secure ways of Web/HTML authentications and >> required protocol-side support for them >> >> * Maintenance of existing HTTP authentication extensions (other than >> Basic and Digest), either checking its httpbis-conforming or making >> it historic. >> >> * Proposing addition of authentication schemes to the IANA registry >> as proposed by httpbis. >> >> Both BoF and possible future working group expect well coordination with >> W3C's effort on the related topics. >> >> >> BoF proposed agenda: >> >> * Topics to be discussed in the future working group >> >> * TBD >> >> Logistical informations: >> >> BoF Chairs: TBD >> BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD) >> People expected: 50 >> Length of session: 90min >> Conflicts to avoid: Working Groups in the APP and SEC areas >> WebEX: no >> Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative) >> Goal: to pursue creation of IETF working groups >> Drafts: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more to be >> discussed >> Mailing List: HTTP http-auth mailing list >> Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/ >> -------- >> > > > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth -- 大岩 寛 Yutaka Oiwa 独立行政法人 産業技術総合研究所 情報セキュリティ研究センター ソフトウェアセキュリティ研究チーム <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Harry Halpin
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA