[http-auth] two things (was: Fwd: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 20 March 2012 11:59 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6E121F8652 for <http-auth@ietfa.amsl.com>; Tue, 20 Mar 2012 04:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9+CAcA8Ay7w for <http-auth@ietfa.amsl.com>; Tue, 20 Mar 2012 04:59:32 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id DDE0221F8649 for <http-auth@ietf.org>; Tue, 20 Mar 2012 04:59:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 07EE9171CAE for <http-auth@ietf.org>; Tue, 20 Mar 2012 11:59:31 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1332244770; bh=u8AUSOOWAnrq2l KxkqBqrBHYrUQoOVH7MLQ+zkuUOXc=; b=5CSpFayiVDlPl2BOYZr0znC+/4/Fx1 osDJK29PZ7OcbrRVgdMsVW5DKL5zP29Lw2PUN+QmZ3dWKBemNET70Z6410Qx9ata 2fzLmla6ZRvw7r+h9pmY0Qi0dybbOReBRiwiahMZCgI3WGMC8Ama5n/6ylwvzhyb CnMIXATdu/UDjJ37Xh8yUXXBLJxDC8mY4J931VICTt6k9i2/aQ+BGXLNnEfOhHEd 6kWBqW/oQ/jJMpIWMyMTRnLFTb70qnu1BWoClkRcJmm6Za99fj2vDNeecoKf/YG+ mmTT7INQJKw5v+xd+kd12NZDJUmgG39uvs7VT9zJDiFxPV1ydu7WkU/g==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id L7suQqHa2z96 for <http-auth@ietf.org>; Tue, 20 Mar 2012 11:59:30 +0000 (GMT)
Received: from [10.87.48.7] (unknown [86.42.22.31]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 5C2BB171CA9 for <http-auth@ietf.org>; Tue, 20 Mar 2012 11:59:30 +0000 (GMT)
Message-ID: <4F687120.1020005@cs.tcd.ie>
Date: Tue, 20 Mar 2012 11:59:28 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "http-auth@ietf.org" <http-auth@ietf.org>
References: <4F67AD46.6040703@w3.org>
In-Reply-To: <4F67AD46.6040703@w3.org>
X-Forwarded-Message-Id: <4F67AD46.6040703@w3.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [http-auth] two things (was: Fwd: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 11:59:33 -0000
Two things, 1) see below, there's a w3c session on in Paris that might be of interest to folks here. And while going beyond http auth might be a lovely thing, better http auth is still of interest to me at least:-) 2) HTTPbis has been re-chartered now and its charter [1] now envisages folks proposing new http authentication schemes for http/2.0. I would hope that those who've been talking about this here will polish up their internet-drafts and propose them to httpbis in the next short while. httpbis plan to select zero or more of those in the next ~6 months. If there are schemes proposed that are not adopted by httpbis but that seem to be worth pursuing as experimental RFCs then I'll be willing to look at starting a security working group to handle those. BUT, I'll be against chartering stuff for that putative group where that stuff was not proposed to httpbis first, so if you think your ideas in this space are worthwhile, please do propose them to httpbis as soon as your internet-draft is up to date. Cheers, S. [1] http://tools.ietf.org/wg/httpbis/charters -------- Original Message -------- Subject: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83 Resent-Date: Mon, 19 Mar 2012 22:03:06 +0000 Resent-From: public-identity@w3.org Date: Mon, 19 Mar 2012 23:03:50 +0100 From: Harry Halpin <hhalpin@w3.org> To: http-auth@ietf.org <http-auth@ietf.org>, public-identity@w3.org <public-identity@w3.org>, dev-identity@lists.mozilla.org Not sure how many people are making it to IETF83, but W3C is hosting an onsite meeting on Thursday to discuss OAuth, BrowserID, OpenID, and the upcoming W3C Web Cryptography Working Group. Everyone is invited! ==Beyond HTTP Authentication: OAuth, OpenID, and BrowserID== =Time and Location= Thursday lunchtime (1130 to 1300) in room 252A just between the SCIM BoF and OAuth WG as part of IETF83 in Paris. = Problem Statement= While OAuth has solved the authorization problem, currently authentication on the Web is still insecure as it has yet for the most part failed to go beyond user-names and passwords. However, at this point a number of new client-side capabilities, including the possibility of W3C standardized Javascript cryptographic primitives, are emerging and a number of specifications such as OpenID Connect, BrowserID, and discussions over the future of HTTP Auth have shown that there is interest in understanding better how client-side key material can be used to enable a more secure Web authentication. However, there has yet to be consensus on how client-side cryptography can enable higher-security OAuth flows. The purpose of this side meeting is to look at a more coherent picture of how technologies in the space of identity, authentication, and authorization combine and interact and to help frame future work in Web authentication. This informal meeting will present a number of proposed technical proposals in brief, including relationships to other existing work (such as RTCWeb and the upcoming W3C Web Cryptography Working Group), and to help frame future work in the area.and then precede with open discussion. For any questions, please contact Harry Halpin (hhalpin@w3.org) =Schedule:= 11:30-11:45 Lightning presentations to "level-set" participants. Mike Jones (Microsoft) will present the latest work from JOSE and OpenID Connect Eric Rescorla (Mozilla hat on) will present Mozilla Persona and RTCWeb/WebRTC work Blaine Cook will present OAuth 2.0 Harry Halpin (W3C) will present the upcoming W3C Web Cryptography API. 11:45-13:00 Open discussion on co-ordination between OAuth, HTTP Auth, OpenID Connect, BrowserID, and W3C.
- [http-auth] Beyond HTTP Authentication: OAuth, Op… Harry Halpin
- [http-auth] two things (was: Fwd: Beyond HTTP Aut… Stephen Farrell
- Re: [http-auth] Beyond HTTP Authentication: OAuth… Francisco Corella