Re: [http-auth] [saag] re-call for IETF http-auth BoF
Nico Williams <nico@cryptonector.com> Mon, 06 June 2011 21:44 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F40A21F8461 for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 14:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ycqhq+8Zj8-S for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 14:44:52 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 2791521F8460 for <http-auth@ietf.org>; Mon, 6 Jun 2011 14:44:52 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTP id E9CB9428079 for <http-auth@ietf.org>; Mon, 6 Jun 2011 14:44:51 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=qrBK0QbHJBWkeJ8CmZhqR/memss4rll5squ8sTQFiT7w NjVVki6B5xX8fja63azSw7m6K97rD5jkRiJah3TZo3Q0U8WkZqDiUziBB3bpLa2I xeUYs7N8MUhJlWQefSHp0zcsitg+cHZ/Oo+juVKfrwdnkz6F7CO2LzU6WxwSMsA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=8Kb6VeLiypfRafTcgEWsu2aH8k8=; b=Z1pBXZKg/3T 8DkbgDrp7+ojd7hfklKZftZ6iGhRgfM4DK3bMNRj/r3WqizVU7eekPS04qRE41XS xLYzTd/2Y8HjB4GajGsGUj0P4aPkEUv/soW7MN1JJ5c917GqmcMsgidVitPCkTcD uwTLBeFIFjYKYUKykempHzsj1MphC1/I=
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTPSA id A7251428078 for <http-auth@ietf.org>; Mon, 6 Jun 2011 14:44:51 -0700 (PDT)
Received: by vxg33 with SMTP id 33so3941770vxg.31 for <http-auth@ietf.org>; Mon, 06 Jun 2011 14:44:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.75.37 with SMTP id z5mr7678139vdv.261.1307396691061; Mon, 06 Jun 2011 14:44:51 -0700 (PDT)
Received: by 10.52.112.163 with HTTP; Mon, 6 Jun 2011 14:44:51 -0700 (PDT)
In-Reply-To: <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp> <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net>
Date: Mon, 06 Jun 2011 16:44:51 -0500
Message-ID: <BANLkTind5rg-tOZJ+B2ocD_s=9_-rufH5Q@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: http-auth@ietf.org
Subject: Re: [http-auth] [saag] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 21:44:53 -0000
On Mon, Jun 6, 2011 at 3:30 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > For me, the main questions are: > > * What is the biggest problem? > You, for example, point to the usage of forms for user authentication in Web pages in the agenda proposal. > The NSTIC fans seem to believe that passwords are the problem to begin with. You know from the workshop that my view is that web authentication should be pluggable with respect to authentication mechanisms. Passwords are a HUGE problem if you must type them at untrusted entities. (Such as: kiosks, hotel business center desktops, other people's laptops, or even pretty much any computer, given the current state of local security on user desktops and, soon, if not already, mobiles. But also: untrusted web page forms -- the fact that TLS server certs are used, when they are, is not enough.) > * What solution approach is most promising? (or multiple approaches) > You seem to suggest to standardize a strong-password based authentication mechanism in http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05 > NSTIC fans seem to believe that the approach is towards stronger credentials (non-password-based) and the usage of federated log-ins. > Again others believe that we will never agree on a single authentication protocol and hence we need a framework that allows passwords to be plugged in dynamically. > Browser vendors are interested, as you may recall from the Identity in the Browser discussion, in standardizing username/password form indications so that the user does not need to type their username & password too often into forms - but the browser does it instead. My proposal: http://www.w3.org/2011/identity-ws/slides/Williams.pdf http://www.ietf.org/id/draft-williams-rest-gss-00.txt http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_16.pdf > * How do we motivate the different stakeholders to implement and deploy our favorite solutions? (There is also the usability issue for the user.) > Whatever you come up with changes are needed on the client, and on the server side. That requires a lot of cooperation. I'm trying... I'm looking for: people who will want to implement one aspect or another of REST-GSS because it successfully addresses immediate problems for them (this would be, mostly, non-browser HTTP-based applications and the server side of those). I'm also trying other angles. But my approaches may be all wrong. So I too want to hear your opinions on how to get momentum going. One possibility is to build consensus in the IETF and push the W3C from there. I'm not sure that's wise. I think the best approach, for now, is to demo solutions. Since all solutions pretty much require new UIs (and JavaScript APIs) in the browsers, we need to start by implementing demos in the browsers themselves, now. Finally, the incipient JavaScript crypto APIs will be successful in that they will be widely popular. They will not solve the real problems because either users will still be typing secrets at untrusted interfaces (scripts used by untrusted pages) or because there will be no simple way to control access to cryptographic material in software or hardware tokens/smartcards. But I'm afraid that the appearance of success will be enough to staunch progress in any other areas, so it may be a now-or-never situation for any alternatives other than JavaScript crypto APIs. Nico --
- Re: [http-auth] [saag] re-call for IETF http-auth… Yutaka OIWA
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Harry Halpin
- Re: [http-auth] [saag] re-call for IETF http-auth… Hannes Tschofenig
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Stephen Farrell
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Julian Reschke
- [http-auth] Fwd: re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] [websec] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [http-auth] [websec] re-call for IETF http-au… Alexey Melnikov
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [websec] [saag] re-call for IETF … Stephen Farrell
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … KIHARA, Boku
- [http-auth] Fwd: [saag] [websec] re-call for IETF… KIHARA, Boku
- Re: [http-auth] [websec] Fwd: [saag] re-call for … Thomas Roessler
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Josh Howlett
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Marc Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … SHIMIZU, Kazuki
- Re: [http-auth] [saag] [websec] Fwd: re-call for … GOGWIM, JOEL GODWIN
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Henry B. Hotz
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yaron Sheffer
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Marsh Ray
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Stephen Farrell
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Phillip Hallam-Baker
- Re: [http-auth] [websec] [saag] re-call for IETF … Thomas Fossati
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Henry B. Hotz