Re: [http-auth] side meeting on Wednesday, March 30
"Harry Halpin" <hhalpin@w3.org> Tue, 29 March 2011 12:39 UTC
Return-Path: <hhalpin@w3.org>
X-Original-To: http-auth@core3.amsl.com
Delivered-To: http-auth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3915F3A63CA for <http-auth@core3.amsl.com>; Tue, 29 Mar 2011 05:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.299
X-Spam-Level:
X-Spam-Status: No, score=-9.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1nAAs33w27X for <http-auth@core3.amsl.com>; Tue, 29 Mar 2011 05:39:22 -0700 (PDT)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by core3.amsl.com (Postfix) with ESMTP id B5B153A67DB for <http-auth@ietf.org>; Tue, 29 Mar 2011 05:39:22 -0700 (PDT)
Received: from www-data by jay.w3.org with local (Exim 4.69) (envelope-from <hhalpin@w3.org>) id 1Q4YEB-0006N7-Va; Tue, 29 Mar 2011 08:40:56 -0400
Received: from 130.129.83.64 (SquirrelMail authenticated user hhalpin) by webmail-mit.w3.org with HTTP; Tue, 29 Mar 2011 13:40:56 +0100 (BST)
Message-ID: <55c471c6cd01639e19b2745a1fc91a18.squirrel@webmail-mit.w3.org>
In-Reply-To: <4D91CBCD.8080505@aist.go.jp>
References: <4D90C75A.1040004@aist.go.jp> <4D91A549.4050107@stpeter.im> <4D91CBCD.8080505@aist.go.jp>
Date: Tue, 29 Mar 2011 13:40:56 +0100
From: Harry Halpin <hhalpin@w3.org>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: http-auth@ietf.org
Subject: Re: [http-auth] side meeting on Wednesday, March 30
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 12:39:24 -0000
I will also be at the Bar-BOF, and look forward to meeting you all. As I promised the list earlier, the W3C is also getting ready to help out by hosting a workshop called "Identity in the Browser": http://www.w3.org/2011/identity-ws/ The workshop is free with a position paper will be May 24-25th in Mountain View, hosted by Mozilla - who will have a desire I believe to really get things working given that last incident :) If you have any questions, just ask me about it, I'm around at the IETF meeting all week. We're looking forward on a proposal from the IETF crowd on how the browsers can better enable the user-interface and functionality/APIs to build on top of a new actually secure version of HTTP Auth as well as work around WOES from yesterday and other-related subjects. cheers, harry > Yes, please give me a while. > > On 2011/03/29 18:24, Peter Saint-Andre wrote: >> When you finish creating your slides, could you send them to the list? >> >> On 3/28/11 7:37 PM, Yutaka OIWA wrote: >>> Dear all, >>> >>> I'm looking forward to seeing you at 20:00 Wednesday in Karlin II/III. >>> >>> My current plan for the side meeting is to mutually know each other's >>> face by >>> meeting face-to-face, and to share the problem space which is broken >>> now and >>> which is to be fixed by our future working group (hopefully). >>> The important point here is that the solutions must be not only >>> implementable to >>> the HTTP client/server, but also deployable and usable by Web >>> applications. I >>> believe this is the most problematic point of current largely-unused >>> solutions >>> including TLS client certificate authentication. >>> >>> I will prepare a small presentation which will describe *my* view of >>> what should >>> be done. Your opinions and views are very welcome. >>> Also, I am waiting of inputs for the possible future agenda quoted >>> below. >>> >>> See you, >>> >>> Yutaka >>> >>> -------- Original Message -------- >>> Subject: Re: [http-auth] HTTP Auth Next BOF at IETF Prague deadline >>> Monday/Possible W3C Workshop? >>> Date: Mon, 31 Jan 2011 20:54:37 +0900 >>> From: Yutaka OIWA <y.oiwa@aist.go.jp> >>> To: Harry Halpin <hhalpin@w3.org> >>> CC: http-auth@ietf.org >>> >>> Dear Harry and all, >>> >>> "Harry Halpin" <hhalpin@w3.org> writes: >>> >>>> Another idea would be to hold an informal bar-BOF at Prague if the BOF >>>> can't be put together quickly enough as a bar-BOF would require less >>>> work >>>> and give us more time to bake the tech ideas or charter. I'll leave >>>> this >>>> decision in the hands of more experienced IETF folks. >>> >>> In both ways, anyway, we will need a good-direction proposal and >>> agenda. It is hard for me to write a "good" one, but I made a "bad" >>> :-) >>> one as a starting point. >>> >>> Please consider it for improvements and rephrasing. Thanks Harry for >>> providing a very good descriptions which I've used as a staring point. >>> >>> * Things to consider: >>> >>> - agenda not yet written >>> - goal: currently ambiguous (intentionally); to discuss, or to form >>> WG? >>> >>> -------- >>> Description: >>> >>> The current authentication methods used in the Web system is prone to >>> various serious vulnerabilities, including password eavesdropping, >>> password stealing, session hijack, and phishing. Because of the lack >>> of a good/secure support for web application authentication in the >>> HTTP layer, people tends to use HTML forms for authentication, which >>> are by nature insecure. >>> >>> This problem should be solved as soon as possible to mitigate the >>> impact of Web authentication-related frauds to the Internet >>> users. However, to solve this problem, the resulting technologies >>> should be carefully designed so that these will be well deployable to >>> the real-world applications. >>> >>> Recently we have several new proposals for securing Web/HTTP >>> authentications, some of which has a proposed drafts. In addition, >>> the work of the HTTPBIS working group is about to finish, and it will >>> require some maintenance works for the HTTP existing authentication >>> mechanism, at least the registrations to IANA. >>> >>> The purpose of the proposed BoF is to pursue creation of IETF working >>> groups on various HTTP authentication issues. The possible topics of >>> the future working group may include the following topics: >>> >>> * Introduction of much more secure authentication mechanisms as >>> extensions to the HTTP. >>> >>> * Introduction of technologies which will enable more sophisticated >>> use of HTTP authentication in application layer. >>> >>> * Research on the secure ways of Web/HTML authentications and >>> required protocol-side support for them >>> >>> * Maintenance of existing HTTP authentication extensions (other than >>> Basic and Digest), either checking its httpbis-conforming or making >>> it historic. >>> >>> * Proposing addition of authentication schemes to the IANA registry >>> as proposed by httpbis. >>> >>> Both BoF and possible future working group expect well coordination >>> with >>> W3C's effort on the related topics. >>> >>> >>> BoF proposed agenda: >>> >>> * Topics to be discussed in the future working group >>> >>> * TBD >>> >>> Logistical informations: >>> >>> BoF Chairs: TBD >>> BOF Proponents: Harry Halpin, Yutaka OIWA, ... (TBD) >>> People expected: 50 >>> Length of session: 90min >>> Conflicts to avoid: Working Groups in the APP and SEC areas >>> WebEX: no >>> Responsible AD: Peter Saint-Andre, Alexey Melnikov (tentative) >>> Goal: to pursue creation of IETF working groups >>> Drafts: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08; more >>> to be >>> discussed >>> Mailing List: HTTP http-auth mailing list >>> Mailing List Archive: http://www.ietf.org/mail-archive/web/http-auth/ >>> -------- >>> >> >> >> >> _______________________________________________ >> http-auth mailing list >> http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth > > > -- > 大岩 å¯ Yutaka Oiwa ç¬ç«è¡æ¿æ³äºº > ç£æ¥æè¡ç·åç 究æ > æ å ±ã»ãã¥ãªãã£ç 究ã»ã³ã¿ã¼ > ã½ããã¦ã§ã¢ã»ãã¥ãªãã£ç 究ãã¼ã > <y.oiwa@aist.go.jp>, > <yutaka@oiwa.jp> > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 > 46B5] > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth >
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Harry Halpin
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA
- Re: [http-auth] side meeting on Wednesday, March … Peter Saint-Andre
- Re: [http-auth] side meeting on Wednesday, March … Yutaka OIWA