Re: [http-auth] [saag] re-call for IETF http-auth BoF
Tim <tim-research@sentinelchicken.org> Mon, 06 June 2011 17:03 UTC
Return-Path: <tim-research@sentinelchicken.org>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D35411E819F for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 10:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fx2qpHuV0C2w for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 10:02:59 -0700 (PDT)
Received: from sentinelchicken.org (mail.sentinelchicken.org [69.168.48.72]) by ietfa.amsl.com (Postfix) with ESMTP id 38D4311E81AD for <http-auth@ietf.org>; Mon, 6 Jun 2011 10:02:59 -0700 (PDT)
Received: (qmail 5544 invoked from network); 6 Jun 2011 17:02:57 -0000
Received: from unknown (HELO pascal.sentinelchicken.org) (10.81.64.2) by feynman.sentinelchicken.org with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 Jun 2011 17:02:57 -0000
Received: (qmail 5911 invoked from network); 6 Jun 2011 17:04:18 -0000
Received: from shannon.sentinelchicken.org (10.81.64.4) by pascal.sentinelchicken.org with SMTP; 6 Jun 2011 17:04:18 -0000
Received: (nullmailer pid 7628 invoked by uid 1000); Mon, 06 Jun 2011 17:02:56 -0000
Date: Mon, 06 Jun 2011 10:02:56 -0700
From: Tim <tim-research@sentinelchicken.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <20110606170256.GF1565@sentinelchicken.org>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp> <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: http-auth@ietf.org
Subject: Re: [http-auth] [saag] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 17:03:00 -0000
Hi everyone, I'm coming out of lurking-mode to offer some opinions on this. > * What solution approach is most promising? (or multiple approaches) > You seem to suggest to standardize a strong-password based authentication mechanism in http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05 > NSTIC fans seem to believe that the approach is towards stronger credentials (non-password-based) and the usage of federated log-ins. > Again others believe that we will never agree on a single authentication protocol and hence we need a framework that allows passwords to be plugged in dynamically. > Browser vendors are interested, as you may recall from the Identity in the Browser discussion, in standardizing username/password form indications so that the user does not need to type their username & password too often into forms - but the browser does it instead. In general authentication theory terms, using passwords is relying on "something you know" (SYK) whereas certificates rely on "something you have" (SYH). By moving toward password management in the browser, you turn something you know into something you have. The SYH solutions are very attractive from a security perspective and from a usability perspective. If it were sufficiently standardized, browsers can use certificates or random passwords for each site and users don't have to worry about it. (Of course once we move to a SYH password model, then what is the point in using passwords at all again?) However, SYK will always have a place in the world. There are many situations where users simply want to be able to type in something they've memorized. Passwords will never go away completely for this reason. Add into that the fact that far more average users understand username/password systems than certificates, and you will have a hard time convincing the world to switch off of passwords even in applications that would work prefectly well with SYH. To me, the best way forward is to offer seemless integration of SYH and SYK systems, both allowing for federated authentication and all of the advanced features everyone seems to want these days. If you convince application developers and browser vendors to switch to such a framework, then you also eliminate some barriers to entry for switching some sites and users to switch away from passwords (or at least user-chosen passwords). As a first step to this proposed master plan, the new SYK model must be more secure than what we are using now, in order to convince people to move away from web forms to the new system. Protecting against phishing attacks, which are rampant these days, is one great way to do that. tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Yutaka OIWA
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Harry Halpin
- Re: [http-auth] [saag] re-call for IETF http-auth… Hannes Tschofenig
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Stephen Farrell
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Julian Reschke
- [http-auth] Fwd: re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] [websec] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [http-auth] [websec] re-call for IETF http-au… Alexey Melnikov
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [websec] [saag] re-call for IETF … Stephen Farrell
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … KIHARA, Boku
- [http-auth] Fwd: [saag] [websec] re-call for IETF… KIHARA, Boku
- Re: [http-auth] [websec] Fwd: [saag] re-call for … Thomas Roessler
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Josh Howlett
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Marc Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … SHIMIZU, Kazuki
- Re: [http-auth] [saag] [websec] Fwd: re-call for … GOGWIM, JOEL GODWIN
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Henry B. Hotz
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yaron Sheffer
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Marsh Ray
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Stephen Farrell
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Phillip Hallam-Baker
- Re: [http-auth] [websec] [saag] re-call for IETF … Thomas Fossati
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Henry B. Hotz