Re: [http-auth] side meeting on Wednesday, March 30

[Yutaka OIWA <y.oiwa@aist.go.jp>]

Peter and all in http-auth list,

here is my slides to be presented at the bar-bof at 8pm.

https://staff.aist.go.jp/y.oiwa/publications/IETF80-http-auth-barbof-oiwa.pdf

# is there a better place for putting this kind of materials?

On 2011/03/29 18:24, Peter Saint-Andre wrote:
> When you finish creating your slides, could you send them to the list?
> 
> On 3/28/11 7:37 PM, Yutaka OIWA wrote:
>> Dear all,
>>
>> I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III.
>>
>> My current plan for the side meeting is to mutually know each other's face by
>> meeting face-to-face, and to share the problem space which is broken now and
>> which is to be fixed by our future working group (hopefully).
>> The important point here is that the solutions must be not only implementable to
>> the HTTP client/server, but also deployable and usable by Web applications. I
>> believe this is the most problematic point of current largely-unused solutions
>> including TLS client certificate authentication.
>>
>> I will prepare a small presentation which will describe *my* view of what should
>> be done.  Your opinions and views are very welcome.
>> Also, I am waiting of inputs for the possible future agenda quoted below.
>>
>> See you,
>>
>> Yutaka
>>
>> -------- Original Message --------
>> Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline
>> Monday/Possible W3C Workshop?
>> Date: Mon, 31 Jan 2011 20:54:37 +0900
>> From: Yutaka OIWA <y.oiwa@aist.go.jp>
>> To: Harry Halpin <hhalpin@w3.org>
>> CC: http-auth@ietf.org
>>
>> Dear Harry and all,
>>
>> "Harry Halpin" <hhalpin@w3.org> writes:
>>
>>> Another idea would be to hold an informal bar-BOF at Prague if the BOF
>>> can't be put together quickly enough as a bar-BOF would require less work
>>> and give us more time to bake the tech ideas or charter. I'll leave this
>>> decision in the hands of more experienced IETF folks.
>>
>> In both ways, anyway, we will need a good-direction proposal and
>> agenda.  It is hard for me to write a "good" one, but I made a "bad" :-)
>> one as a starting point.
>>
>> Please consider it for improvements and rephrasing.  Thanks Harry for
>> providing a very good descriptions which I've used as a staring point.
>>
>>  * Things to consider:
>>
>>    - agenda not yet written
>>    - goal: currently ambiguous (intentionally); to discuss, or to form WG?
>>
>> --------
>> Description:
>>
>> The current authentication methods used in the Web system is prone to
>> various serious vulnerabilities, including password eavesdropping,
>> password stealing, session hijack, and phishing.  Because of the lack
>> of a good/secure support for web application authentication in the
>> HTTP layer, people tends to use HTML forms for authentication, which
>> are by nature insecure.
>>
>> This problem should be solved as soon as possible to mitigate the
>> impact of Web authentication-related frauds to the Internet
>> users. However, to solve this problem, the resulting technologies
>> should be carefully designed so that these will be well deployable to
>> the real-world applications.
>>
>> Recently we have several new proposals for securing Web/HTTP
>> authentications, some of which has a proposed drafts.  In addition,
>> the work of the HTTPBIS working group is about to finish, and it will
>> require some maintenance works for the HTTP existing authentication
>> mechanism, at least the registrations to IANA.
>>
>> The purpose of the proposed BoF is to pursue creation of IETF working
>> groups on various HTTP authentication issues.  The possible topics of
>> the future working group may include the following topics:
>>
>>  * Introduction of much more secure authentication mechanisms as
>>    extensions to the HTTP.
>>
>>  * Introduction of technologies which will enable more sophisticated
>>    use of HTTP authentication in application layer.
>>
>>  * Research on the secure ways of Web/HTML authentications and
>>    required protocol-side support for them
>>
>>  * Maintenance of existing HTTP authentication extensions (other than
>>    Basic and Digest), either checking its httpbis-conforming or making
>>    it historic.
>>
>>  * Proposing addition of authentication schemes to the IANA registry
>>    as proposed by httpbis.
>>
>> Both BoF and possible future working group expect well coordination with
>> W3C's effort on the related topics.
>>
>>
>> BoF proposed agenda:
>>
>>  * Topics to be discussed in the future working group
>>
>>  * TBD
>>
>> Logistical informations:
>>
>> BoF Chairs: TBD
>> BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD)
>> People expected: 50
>> Length of session: 90min
>> Conflicts to avoid: Working Groups in the APP and SEC areas
>> WebEX: no
>> Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative)
>> Goal: to pursue creation of IETF working groups
>> Drafts:  http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more to be
>> discussed
>> Mailing List: HTTP http-auth mailing list
>> Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/
>> --------
>>
> 
> 
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth


-- 
大岩 寛   Yutaka Oiwa                       独立行政法人 産業技術総合研究所
            情報セキュリティ研究センター ソフトウェアセキュリティ研究チーム
                                      <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]