Re: [http-auth] [saag] re-call for IETF http-auth BoF

[Tim <tim-research@sentinelchicken.org>]

Hi everyone,

I'm coming out of lurking-mode to offer some opinions on this.


>  * What solution approach is most promising? (or multiple approaches)
>      You seem to suggest to standardize a strong-password based authentication mechanism in http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05
>      NSTIC fans seem to believe that the approach is towards stronger credentials (non-password-based) and the usage of federated log-ins. 
>      Again others believe that we will never agree on a single authentication protocol and hence we need a framework that allows passwords to be plugged in dynamically.
>      Browser vendors are interested, as you may recall from the Identity in the Browser discussion, in standardizing username/password form indications  so that the user does not need to type their username & password too often into forms - but the browser does it instead. 

In general authentication theory terms, using passwords is relying on
"something you know" (SYK) whereas certificates rely on "something you
have" (SYH).  By moving toward password management in the browser, you
turn something you know into something you have.  

The SYH solutions are very attractive from a security perspective and
from a usability perspective.  If it were sufficiently standardized,
browsers can use certificates or random passwords for each site and
users don't have to worry about it. (Of course once we move to a SYH
password model, then what is the point in using passwords at all
again?)

However, SYK will always have a place in the world.  There are many
situations where users simply want to be able to type in something
they've memorized.  Passwords will never go away completely for this
reason.  Add into that the fact that far more average users understand
username/password systems than certificates, and you will have a hard
time convincing the world to switch off of passwords even in
applications that would work prefectly well with SYH.

To me, the best way forward is to offer seemless integration of SYH
and SYK systems, both allowing for federated authentication and all of
the advanced features everyone seems to want these days.  If you
convince application developers and browser vendors to switch to such
a framework, then you also eliminate some barriers to entry for
switching some sites and users to switch away from passwords (or at
least user-chosen passwords).  

As a first step to this proposed master plan, the new SYK model must
be more secure than what we are using now, in order to convince people
to move away from web forms to the new system.  Protecting against
phishing attacks, which are rampant these days, is one great way to do
that.

tim