IETF Logo Mail Archive

Re: [http-auth] [saag] re-call for IETF http-auth BoF

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 06 June 2011 10:09 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DD711E8109 for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 03:09:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnhM-kfEjR1a for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 03:09:16 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 0BD2E11E80EC for <http-auth@ietf.org>; Mon, 6 Jun 2011 03:09:15 -0700 (PDT)
Received: (qmail invoked by alias); 06 Jun 2011 10:08:36 -0000
Received: from unknown (EHLO [10.255.135.94]) [192.100.123.77] by mail.gmx.net (mp059) with SMTP; 06 Jun 2011 12:08:36 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+oAo0oU8SoJg2JdIL24mDbKFbWVepWy36oFqzi1b qx5lAmAocu8vze
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp>
Date: Mon, 06 Jun 2011 11:30:48 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp>
To: http-auth@ietf.org, y.oiwa@aist.go.jp
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Subject: Re: [http-auth] [saag] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 10:09:17 -0000

Hi Yutaka, 

it is definitely a good idea to get ourselves organized to continue our work in securing the Web. 

For me, the main questions are: 

 * What is the biggest problem? 
    You, for example, point to the usage of forms for user authentication in Web pages in the agenda proposal.
    The NSTIC fans seem to believe that passwords are the problem to begin with.  

 * What solution approach is most promising? (or multiple approaches)
     You seem to suggest to standardize a strong-password based authentication mechanism in http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05
     NSTIC fans seem to believe that the approach is towards stronger credentials (non-password-based) and the usage of federated log-ins. 
     Again others believe that we will never agree on a single authentication protocol and hence we need a framework that allows passwords to be plugged in dynamically.
     Browser vendors are interested, as you may recall from the Identity in the Browser discussion, in standardizing username/password form indications  so that the user does not need to type their username & password too often into forms - but the browser does it instead. 

 * How do we motivate the different stakeholders to implement and deploy our favorite solutions? (There is also the usability issue for the user.)
    Whatever you come up with changes are needed on the client, and on the server side. That requires a lot of cooperation.


Ciao
Hannes

On Jun 5, 2011, at 8:06 PM, Yutaka OIWA wrote:

> Dear all at http-auth mailing list,
> (Cc: Peter, Sean, Harry, and related mailing lists subscribers)
> 
> following the discussions in the Prague http-auth Bar-BoF in March,
> and the W3C Identity in Browser workshop in the last month, now I
> would like to re-call the formation of BoF for http-auth in IETF.  The
> workshop was really hot and enjoying, and there were so many useful
> inputs to both Web community and IETF, I believe.  Some materials
> presented and discussed there are available at
> <http://www.w3.org/2011/identity-ws/>.
> 
> # Harry, are the *output* materials of the workshop already available to public?
> 
> Currently I'm preparing a start-up version of problem statement document and
> proposed BoF agenda.  However, very unfortunately, the last week I had a
> severe fever heat and could not work well (I'm really sorry about that).
> I'm going to submit them to the list within two days, and if possible
> comments to the last version of the agenda proposal, available at
> <http://www.ietf.org/mail-archive/web/http-auth/current/msg00770.html>,
> are welcome.  I'm currently working based on that.
> 
> Thanks,
> 
> Yutaka
> 
> -- 
> Yutaka OIWA, Ph.D.                                       Research Scientist
>                            Research Center for Information Security (RCIS)
>    National Institute of Advanced Industrial Science and Technology (AIST)
>                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email