Re: [http-auth] side meeting on Wednesday, March 30
Peter Saint-Andre <stpeter@stpeter.im> Tue, 29 March 2011 09:22 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: http-auth@core3.amsl.com
Delivered-To: http-auth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9CFC928C13F for <http-auth@core3.amsl.com>; Tue, 29 Mar 2011 02:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFTOAPctkFpD for <http-auth@core3.amsl.com>; Tue, 29 Mar 2011 02:22:50 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 1ECD828C129 for <http-auth@ietf.org>; Tue, 29 Mar 2011 02:22:50 -0700 (PDT)
Received: from dhcp-12cb.meeting.ietf.org (dhcp-12cb.meeting.ietf.org [130.129.18.203]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 7A06640022 for <http-auth@ietf.org>; Tue, 29 Mar 2011 03:26:07 -0600 (MDT)
Message-ID: <4D91A549.4050107@stpeter.im>
Date: Tue, 29 Mar 2011 11:24:25 +0200
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: http-auth@ietf.org
References: <4D90C75A.1040004@aist.go.jp>
In-Reply-To: <4D90C75A.1040004@aist.go.jp>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010705090303080107080805"
Subject: Re: [http-auth] side meeting on Wednesday, March 30
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 09:22:51 -0000
When you finish creating your slides, could you send them to the list? On 3/28/11 7:37 PM, Yutaka OIWA wrote: > Dear all, > > I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III. > > My current plan for the side meeting is to mutually know each other's face by > meeting face-to-face, and to share the problem space which is broken now and > which is to be fixed by our future working group (hopefully). > The important point here is that the solutions must be not only implementable to > the HTTP client/server, but also deployable and usable by Web applications. I > believe this is the most problematic point of current largely-unused solutions > including TLS client certificate authentication. > > I will prepare a small presentation which will describe *my* view of what should > be done. Your opinions and views are very welcome. > Also, I am waiting of inputs for the possible future agenda quoted below. > > See you, > > Yutaka > > -------- Original Message -------- > Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline > Monday/Possible W3C Workshop? > Date: Mon, 31 Jan 2011 20:54:37 +0900 > From: Yutaka OIWA <y.oiwa@aist.go.jp> > To: Harry Halpin <hhalpin@w3.org> > CC: http-auth@ietf.org > > Dear Harry and all, > > "Harry Halpin" <hhalpin@w3.org> writes: > >> Another idea would be to hold an informal bar-BOF at Prague if the BOF >> can't be put together quickly enough as a bar-BOF would require less work >> and give us more time to bake the tech ideas or charter. I'll leave this >> decision in the hands of more experienced IETF folks. > > In both ways, anyway, we will need a good-direction proposal and > agenda. It is hard for me to write a "good" one, but I made a "bad" :-) > one as a starting point. > > Please consider it for improvements and rephrasing. Thanks Harry for > providing a very good descriptions which I've used as a staring point. > > * Things to consider: > > - agenda not yet written > - goal: currently ambiguous (intentionally); to discuss, or to form WG? > > -------- > Description: > > The current authentication methods used in the Web system is prone to > various serious vulnerabilities, including password eavesdropping, > password stealing, session hijack, and phishing. Because of the lack > of a good/secure support for web application authentication in the > HTTP layer, people tends to use HTML forms for authentication, which > are by nature insecure. > > This problem should be solved as soon as possible to mitigate the > impact of Web authentication-related frauds to the Internet > users. However, to solve this problem, the resulting technologies > should be carefully designed so that these will be well deployable to > the real-world applications. > > Recently we have several new proposals for securing Web/HTTP > authentications, some of which has a proposed drafts. In addition, > the work of the HTTPBIS working group is about to finish, and it will > require some maintenance works for the HTTP existing authentication > mechanism, at least the registrations to IANA. > > The purpose of the proposed BoF is to pursue creation of IETF working > groups on various HTTP authentication issues. The possible topics of > the future working group may include the following topics: > > * Introduction of much more secure authentication mechanisms as > extensions to the HTTP. > > * Introduction of technologies which will enable more sophisticated > use of HTTP authentication in application layer. > > * Research on the secure ways of Web/HTML authentications and > required protocol-side support for them > > * Maintenance of existing HTTP authentication extensions (other than > Basic and Digest), either checking its httpbis-conforming or making > it historic. > > * Proposing addition of authentication schemes to the IANA registry > as proposed by httpbis. > > Both BoF and possible future working group expect well coordination with > W3C's effort on the related topics. > > > BoF proposed agenda: > > * Topics to be discussed in the future working group > > * TBD > > Logistical informations: > > BoF Chairs: TBD > BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD) > People expected: 50 > Length of session: 90min > Conflicts to avoid: Working Groups in the APP and SEC areas > WebEX: no > Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative) > Goal: to pursue creation of IETF working groups > Drafts: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more to be > discussed > Mailing List: HTTP http-auth mailing list > Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/ > -------- >
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Harry Halpin
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA