IETF Logo Mail Archive

[http-auth] Draft Minutes from IETF-85 in Atlanta

Derek Atkins <derek@ihtfp.com> Wed, 28 November 2012 15:18 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCF1321F8871 for <http-auth@ietfa.amsl.com>; Wed, 28 Nov 2012 07:18:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CSxi9snOrFII for <http-auth@ietfa.amsl.com>; Wed, 28 Nov 2012 07:18:31 -0800 (PST)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) by ietfa.amsl.com (Postfix) with ESMTP id B2B1221F8470 for <http-auth@ietf.org>; Wed, 28 Nov 2012 07:18:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id ABB942602CF for <http-auth@ietf.org>; Wed, 28 Nov 2012 10:18:27 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 23446-10 for <http-auth@ietf.org>; Wed, 28 Nov 2012 10:18:25 -0500 (EST)
Received: from mocana.ihtfp.org (unknown [IPv6:fe80::224:d7ff:fee7:8924]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id 6B078260211 for <http-auth@ietf.org>; Wed, 28 Nov 2012 10:18:25 -0500 (EST)
Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.5/8.14.5/Submit) id qASFIM9R020836; Wed, 28 Nov 2012 10:18:22 -0500
From: Derek Atkins <derek@ihtfp.com>
To: http-auth@ietf.org
Date: Wed, 28 Nov 2012 10:18:20 -0500
Message-ID: <sjmehjdzrgj.fsf@mocana.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard 1.0.2a
Subject: [http-auth] Draft Minutes from IETF-85 in Atlanta
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 15:18:36 -0000

Hi, all

Sorry for taking so long to get these out..  Here are the draft minutes
from the meeting in Atlanta.  Please let me know if I've missed
anything.  I'll post these to the meeting website next week, so please
comment if I've made a mistake.

Thanks,

-derek, co-chair

HTTP-AUTH BoF
Wednesday afternoon
Yoav Nir and Derek Atkins
Minutes by Paul Hoffman
Not repeating stuff on the slides, mostly catching the discussion

Problem statement - Yoav
	Lots of problems listed
	Eric Rescorla (Ekr): Clients can log off by rebooting
		Servers can log off with cookies
	Oiwa: Cookies can be used to log in and out
	Justin Richer: Question of what is and is not "logoff"
		This isn't session management; it's just repeating stuff
	Mark Nottingham: Making HTTP authentication better is a good target
		Don't try to fix Web authentication; beyond our abilities
	Henrik Levkovetz: Session concept is more important
		Can't put a link on a web page to have the user log out
		Wants to be able the log out from a web site
	Julian Reschke: Can't close IE 10 on Metro
	Ekr: Massive difference between fixing Web authentication and HTTP-Auth
	Phill Hallman-Baker: We don't define what we mean as authentication
		Could be getting a credential, could mean actually logging in
		Only one belongs at HTTP layer
		We can change HTTP so that it talks to other layers better
	Henrik: Phill makes sense.
		Ekr's view is unconstructive
	Sam Harman: Cares about things smaller than Web authentication
		Yoav: Get your own BoF
	Mark: There were non-obvious requirements for Web authentication
		Major players are not here
		This is a more important discussion than presentations
		Lots of people agree with the last item
	Sean Turner: Getting the scope is hard
		Goal is to get a bunch of experimental documents out there
	Derek: This is a BoF, not a WG

HOBA - draft-farrell-httpbis-hoba - Stephen Farrell
	Ekr: Why does this exist? It can already be done.
		Stephen: Why hasn't it been done already?
	Richard Barnes: This doesn't have continuity
	Jeff Hodges: This isn't about passwords being kept on the server side
		This is waiting for WebCrypto from W3C
	Hannes Tschofenig: People can just do it, doesn't need standardization
		Different understanding of which problems are needed to be fixed
	Phill: Wrote a draft that says you need a continuation mechanism
		Symmetric crypto is better for continuation mechanism
	Paul Leach: Could be done with large unique per-site password
	Phil Hunt: Will be key management issues with multiple devices
		Good for session continuance

HTTP Mutual auth - Yutaka OIWA
	No questions / Comments

Multilegged Auth for HTTP/2.0 - dra>-montenegro-h6pbis-multilegged-auth - Gabriel Montenegro
	Jeff: "Multiple round trips" should be used instead of multi-legged
	Nico Williams: Suggesting to put state into the protocol. Are we still saying HTTP is stateless?
		Gabriel: Is putting this into a layer
	Yukata: Not all proposals need this mechanism
		Only needed for things like NTML and so
		Gabriel: Wants to prevent them from being shut out of this world
	Leif Johansson: Had a draft a while ago.
		Need to deal with proxies: non-trivial
		Need some content replication between servers
		More to state handling than just cookies
		May want to have TLS channel bindings
	Paul L: Shows a reasonable effort
		This is good way to not need to change stacks
		Leif: It is not always clear that you can separate the session identifier from the session identifier

Salted Challenge Response (SCRAM) HTTP Authenication Mechanism - draft-melnikov-httpbis-scram-auth - Alexey Melnikov
	Ekr: How does this map to the web authentication case?
		Alexey: Typical is two round trips
	Yukata: I already invented something like this

RESTful Authentication - draft-williams-http-rest-auth - Nico
	Jeff: Proposed something else that used SASL over HTTP, and it was implemented
	Sam: Maybe we should look at gluing HTTP to the application layer
		Nico: Adds a session header
	Paul L: This can be done in Javascript with cookies
		Nico: It would work with all TLS; works with TLS Unique but not others
	Yukata: Similar to OAuth with a MAC added
		Nico: Really doesn't care what mechanism they want to use
			Works fine with ZKP proofs

Charter discussion
	How many people would be willing to do work that does not standarize but does experimental: 20-30
	Feels like should not be formed: 0
		Cullen Jennings: Really bad idea to have RFCs with lots of ideas
		Ekr: Is this vanity publishing idea?
			Wants us to do one thing instead of five
			Yoav: If we had one thing to do, it would have been done by httpbis
	Phill: Solutions with privacy cause a problem
	Nico: Maybe new name for RFC that is experimental
		If that's the only issue, fix that
		Yoav: Anyone can get an RFC with or without us. This is for better review.
	Sam: All proposals today could get RFCs.
		This is about better quality, it is worth taking the time to make them better
	Jim Fenton: Different proposals had different goals in mind
		What are we trying to accomplish?
		Different goals make it hard to decide if this is a good idea
	Joe Hildebrand: The IETF doesn't do well at research-like explorations
		Feels like you are chartering people to wander around in the desert
	Peter St. Andrew: No proposal to make the efforts talk to each other
	Ekr: There is a valuable something here
		Web authentication space is full of stuff
		The idea that what we will do will be picked up is divorced from reality
	Hannes: Wants to hold a workshop
		There are some real identity problems
		Some directions don't require any changes to HTTP Auth
	Leif: A set of toolbox proposals (multi-legged, ...)
		Doesn't have to be experimental
	Paul L: Concerned about the method for "better"
		Can make things better but not worthwhile
		That definition will be the thing that makes people want to work together
	Stephen: You always get pushback because Web auth
		Starting something gets some good starting points
	Phill: Difference between web browsers and web services
		Are people willing to use parts?
	Hannes: Should have a use cases document and why the existing mechanisms don't fit their needs
	Yoav: HTTP is in the browser
	Sam: Cover other use cases for HTTP
		Jeff: Likes that
	Spencer Dawkins: Will this work cause other people to look at these documents
	Barry Leiba: Would expect WG to have rough consensus that a particular document is worthwhile to publish
		Also need to convince one AD to publish
	Peter: If we are calling this as experiments, do real experiments
		Some people clapped
	Gabriel: Two types of potential outcomes: What we have heard today as experimental; baby steps on standards track
	Ekr: Maybe send this to the IRTF
		Stephen disagrees


-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email