http-auth: Mutual - drafts updated
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 21 May 2012 13:16 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D41F721F861F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 May 2012 06:16:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.579
X-Spam-Level:
X-Spam-Status: No, score=-6.579 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, LOCALPART_IN_SUBJECT=2.02, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXTVz4Ui6g7J for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 May 2012 06:16:56 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0A7FA21F85F7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 May 2012 06:16:55 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SWQVk-0002Hf-H1 for ietf-http-wg-dist@listhub.w3.org; Mon, 21 May 2012 11:10:48 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <y.oiwa@aist.go.jp>) id 1SWQUj-00029i-Sa for ietf-http-wg@listhub.w3.org; Mon, 21 May 2012 11:09:45 +0000
Received: from na3sys010aog106.obsmtp.com ([74.125.245.80]) by maggie.w3.org with smtp (Exim 4.72) (envelope-from <y.oiwa@aist.go.jp>) id 1SWQUO-0000AE-5e for ietf-http-wg@w3.org; Mon, 21 May 2012 11:09:28 +0000
Received: from mail-pb0-f48.google.com ([209.85.160.48]) (using TLSv1) by na3sys010aob106.postini.com ([74.125.244.12]) with SMTP ID DSNKT7oiTqGwTJj89bAkA9+xyBLwYnK7jHQ1@postini.com; Mon, 21 May 2012 04:09:24 PDT
Received: by pbbrq8 with SMTP id rq8so8237818pbb.7 for <ietf-http-wg@w3.org>; Mon, 21 May 2012 04:09:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=message-id:date:from:user-agent:mime-version:to:cc:subject :x-enigmail-version:content-type:content-transfer-encoding; bh=qVB+QWaeraJNaUYkM2JrJGK+a2swEGXL7Enm63MiJig=; b=ZN76lMZjF736xMiZIzA1XluReBsWUdijX55qHXV3c4/4fzBKw/p69crjopxTu53zXy oG4O+II5u5GOrm3KeyV7dWiUnHkAoWqFi6OsMmGm2eJ2e9nOTYJiEmKJcQzDyeKzIc+7 F9dWxs18lSYd4q0LggQkQc9SVt+qtOptzE1NI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :x-enigmail-version:content-type:content-transfer-encoding :x-gm-message-state; bh=qVB+QWaeraJNaUYkM2JrJGK+a2swEGXL7Enm63MiJig=; b=akX88rpPhjOINO0/EbPj9+CclRPhXsqH94qaE+Q1MUKO9IqrfK/OtJavujFNerOmbr Xk/2GsjTOz729pBTdbM2rqhejChg5+rfIpYWYiy8ILB3hpBoyxUOG8tfx+9QM0oejEXa 8ObpZuHuisr5b+HLaNcgvnUXpjmEavDhtG/F4jNqaPrgkK5OUqzt3ZK7Cy8NZKY+knBG GrCQVBCrPfrgtTCO3ipmYG/GnJqzrdxWao7lDSjfT/Scvvj3ZA/Jv67yY7eY4J35vorY SfPSdaCsyl2PRSuzC4QOkXqChJZabstzt8Epuw7i3537bAPVWoyKvAJaP6XpSGvgxXWd RDGw==
Received: by 10.68.189.198 with SMTP id gk6mr67602802pbc.31.1337598542070; Mon, 21 May 2012 04:09:02 -0700 (PDT)
Received: from [150.29.228.163] ([150.29.228.163]) by mx.google.com with ESMTPS id z2sm22773900pbv.34.2012.05.21.04.09.00 (version=SSLv3 cipher=OTHER); Mon, 21 May 2012 04:09:01 -0700 (PDT)
Message-ID: <4FBA224B.8080102@aist.go.jp>
Date: Mon, 21 May 2012 20:08:59 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: "http-auth@ietf.org" <http-auth@ietf.org>
CC: HTTP Working Group <ietf-http-wg@w3.org>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQmVVBq3MTcQfBZ3BqO/kcCdc44YNl+O1cuY0IUNdB3nnS6Q/zPc7jZWxU2nzK0+9wc89oC2
Received-SPF: pass client-ip=74.125.245.80; envelope-from=y.oiwa@aist.go.jp; helo=na3sys010aog106.obsmtp.com
X-W3C-Hub-Spam-Status: No, score=-3.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, LOCALPART_IN_SUBJECT=1.107, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1SWQUO-0000AE-5e dac18f2040feefa1ad82bc44d4a6fa56
X-Original-To: ietf-http-wg@w3.org
Subject: http-auth: Mutual - drafts updated
Archived-At: <http://www.w3.org/mid/4FBA224B.8080102@aist.go.jp>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/13548
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1SWQVk-0002Hf-H1@frink.w3.org>
Resent-Date: Mon, 21 May 2012 11:10:48 +0000
Dear all, I have updated my three drafts related to the HTTP authentication: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-11 http://tools.ietf.org/html/draft-oiwa-http-mutualauth-algo-02 http://tools.ietf.org/html/draft-oiwa-http-auth-extension-01 The first one is the main draft introducing a cryptographic strong mutual authentication using weak secrets (i.e., password) to HTTP. Both password safety and the server-to-client authenticity assurance is the key features of the proposal. The second one is defining an example crypto algorithm for use with the above. The last one is a companion draft making a small but powerful enough (I believe so) semantic extensions to HTTP authentication, which can be used just like API calls from Web applications, so that it can support modern Web applications. This erases (or at least mitigates) many problems which prevent introduction of strong authentication to Web in a browser- (not content-)controlled manner. By the first proposal, we can replace Basic and Digest with stronger crypto-based authentications. Using both the first and the third, we can also introduce that strength to applications which currently use custom application-implemented authentications, too. I will add some use-case examples to the last draft soon, hopefully. I'll ask to Mark separately off-list for handling of second and third drafts under the prescribed procedure, then I'm going to submit the set as an httpbis auth candidate within a week or so. Appendix 1: main updates from the previous drafts: - extending stale session notification to more generic indications. - updated to follow the latest httpbis syntax conventions. Appendix 2: about crypto choices: In the previous side meetings, we have discussed that crypto choice discussions should be postponed for another appropriate time. We are still maintaining the second draft now, however, just because we need at least one choice for testing and evaluating implementations. So, if you have opinions about algorithm choices, please keep that in mind, and so do I. The title of the second draft has been renamed slightly to reflect that. -- Yutaka OIWA, Ph.D. Leader, Software Reliability Research Group Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- http-auth: Mutual - drafts updated Yutaka OIWA