Re: [http-auth] [saag] re-call for IETF http-auth BoF
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 06 June 2011 10:09 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DD711E8109 for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 03:09:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnhM-kfEjR1a for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 03:09:16 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 0BD2E11E80EC for <http-auth@ietf.org>; Mon, 6 Jun 2011 03:09:15 -0700 (PDT)
Received: (qmail invoked by alias); 06 Jun 2011 10:08:36 -0000
Received: from unknown (EHLO [10.255.135.94]) [192.100.123.77] by mail.gmx.net (mp059) with SMTP; 06 Jun 2011 12:08:36 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+oAo0oU8SoJg2JdIL24mDbKFbWVepWy36oFqzi1b qx5lAmAocu8vze
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp>
Date: Mon, 06 Jun 2011 11:30:48 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp>
To: http-auth@ietf.org, y.oiwa@aist.go.jp
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Subject: Re: [http-auth] [saag] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 10:09:17 -0000
Hi Yutaka, it is definitely a good idea to get ourselves organized to continue our work in securing the Web. For me, the main questions are: * What is the biggest problem? You, for example, point to the usage of forms for user authentication in Web pages in the agenda proposal. The NSTIC fans seem to believe that passwords are the problem to begin with. * What solution approach is most promising? (or multiple approaches) You seem to suggest to standardize a strong-password based authentication mechanism in http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05 NSTIC fans seem to believe that the approach is towards stronger credentials (non-password-based) and the usage of federated log-ins. Again others believe that we will never agree on a single authentication protocol and hence we need a framework that allows passwords to be plugged in dynamically. Browser vendors are interested, as you may recall from the Identity in the Browser discussion, in standardizing username/password form indications so that the user does not need to type their username & password too often into forms - but the browser does it instead. * How do we motivate the different stakeholders to implement and deploy our favorite solutions? (There is also the usability issue for the user.) Whatever you come up with changes are needed on the client, and on the server side. That requires a lot of cooperation. Ciao Hannes On Jun 5, 2011, at 8:06 PM, Yutaka OIWA wrote: > Dear all at http-auth mailing list, > (Cc: Peter, Sean, Harry, and related mailing lists subscribers) > > following the discussions in the Prague http-auth Bar-BoF in March, > and the W3C Identity in Browser workshop in the last month, now I > would like to re-call the formation of BoF for http-auth in IETF. The > workshop was really hot and enjoying, and there were so many useful > inputs to both Web community and IETF, I believe. Some materials > presented and discussed there are available at > <http://www.w3.org/2011/identity-ws/>. > > # Harry, are the *output* materials of the workshop already available to public? > > Currently I'm preparing a start-up version of problem statement document and > proposed BoF agenda. However, very unfortunately, the last week I had a > severe fever heat and could not work well (I'm really sorry about that). > I'm going to submit them to the list within two days, and if possible > comments to the last version of the agenda proposal, available at > <http://www.ietf.org/mail-archive/web/http-auth/current/msg00770.html>, > are welcome. I'm currently working based on that. > > Thanks, > > Yutaka > > -- > Yutaka OIWA, Ph.D. Research Scientist > Research Center for Information Security (RCIS) > National Institute of Advanced Industrial Science and Technology (AIST) > Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- Re: [http-auth] [saag] re-call for IETF http-auth… Yutaka OIWA
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Harry Halpin
- Re: [http-auth] [saag] re-call for IETF http-auth… Hannes Tschofenig
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Stephen Farrell
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Julian Reschke
- [http-auth] Fwd: re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] [websec] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [http-auth] [websec] re-call for IETF http-au… Alexey Melnikov
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [websec] [saag] re-call for IETF … Stephen Farrell
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … KIHARA, Boku
- [http-auth] Fwd: [saag] [websec] re-call for IETF… KIHARA, Boku
- Re: [http-auth] [websec] Fwd: [saag] re-call for … Thomas Roessler
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Josh Howlett
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Marc Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … SHIMIZU, Kazuki
- Re: [http-auth] [saag] [websec] Fwd: re-call for … GOGWIM, JOEL GODWIN
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Henry B. Hotz
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yaron Sheffer
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Marsh Ray
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Stephen Farrell
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Phillip Hallam-Baker
- Re: [http-auth] [websec] [saag] re-call for IETF … Thomas Fossati
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Henry B. Hotz