[http-auth] two things (was: Fwd: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83)

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Two things,

1) see below, there's a w3c session on in Paris that might be of
interest to folks here.

And while going beyond http auth might be a lovely thing, better
http auth is still of interest to me at least:-)

2) HTTPbis has been re-chartered now and its charter [1] now
envisages folks proposing new http authentication schemes for
http/2.0. I would hope that those who've been talking about
this here will polish up their internet-drafts and propose them
to httpbis in the next short while. httpbis plan to select
zero or more of those in the next ~6 months.

If there are schemes proposed that are not adopted by httpbis
but that seem to be worth pursuing as experimental RFCs then
I'll be willing to look at starting a security working group
to handle those.

BUT, I'll be against chartering stuff for that putative group
where that stuff was not proposed to httpbis first, so if you
think your ideas in this space are worthwhile, please do
propose them to httpbis as soon as your internet-draft is up
to date.

Cheers,
S.

[1] http://tools.ietf.org/wg/httpbis/charters

-------- Original Message --------
Subject: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: 
Meeting  on March 29th at IETF83
Resent-Date: Mon, 19 Mar 2012 22:03:06 +0000
Resent-From: public-identity@w3.org
Date: Mon, 19 Mar 2012 23:03:50 +0100
From: Harry Halpin <hhalpin@w3.org>
To: http-auth@ietf.org <http-auth@ietf.org>,  public-identity@w3.org 
<public-identity@w3.org>, dev-identity@lists.mozilla.org

Not sure how many people are making it to IETF83, but W3C is hosting an
onsite meeting on Thursday to discuss OAuth, BrowserID, OpenID, and the
upcoming W3C Web Cryptography Working Group. Everyone is invited!

==Beyond HTTP Authentication: OAuth, OpenID, and BrowserID==

=Time and Location=

Thursday lunchtime (1130 to 1300) in room 252A just between the SCIM BoF
and OAuth WG as part of IETF83 in Paris.

= Problem Statement=

While OAuth has solved the authorization problem, currently
authentication on the Web is still insecure as it has yet for the most
part failed to go beyond user-names and passwords. However, at this
point a number of new client-side capabilities, including the
possibility of W3C standardized Javascript cryptographic primitives, are
emerging and a number of specifications such as OpenID Connect,
BrowserID, and discussions over the future of HTTP Auth have shown that
there is interest in understanding better how client-side key material
can be used to enable a more secure Web authentication. However, there
has yet to be consensus on how client-side cryptography can enable
higher-security OAuth flows. The purpose of this side meeting is to look
at a more coherent picture of how technologies in the space of identity,
authentication, and authorization combine and interact and to help frame
future work in Web authentication.

This informal meeting will present a number of proposed technical
proposals in brief, including relationships to other existing work (such
as RTCWeb and the upcoming W3C Web Cryptography Working Group), and to
help frame future work in the area.and then precede with open discussion.

For any questions, please contact Harry Halpin (hhalpin@w3.org)

=Schedule:=

11:30-11:45 Lightning presentations to "level-set" participants.

Mike Jones (Microsoft) will present the latest work from JOSE and OpenID
Connect
Eric Rescorla (Mozilla hat on) will present Mozilla Persona and
RTCWeb/WebRTC work
Blaine Cook will present OAuth 2.0
Harry Halpin (W3C) will present the upcoming W3C Web Cryptography API.

11:45-13:00 Open discussion on co-ordination between OAuth, HTTP Auth,
OpenID Connect, BrowserID, and W3C.