WG Action: Formed Web Bot Auth (webbotauth)
The IESG <iesg-secretary@ietf.org> Thu, 23 October 2025 21:35 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@mail2.ietf.org
Received: from [10.244.8.84] (unknown [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id A0E457B4F5F4; Thu, 23 Oct 2025 14:35:09 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: WG Action: Formed Web Bot Auth (webbotauth)
X-Test-IDTracker: no
X-IETF-IDTracker: 12.51.0
Auto-Submitted: auto-generated
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Message-ID: <176125530952.443830.12545034899042117576@dt-datatracker-675c8fd764-bsflw>
Date: Thu, 23 Oct 2025 14:35:09 -0700
Message-ID-Hash: D4RVERP7PAKVESKXJJP52NAJN54UW3CN
X-Message-ID-Hash: D4RVERP7PAKVESKXJJP52NAJN54UW3CN
X-MailFrom: iesg-secretary@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ietf-announce.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, web-bot-auth@ietf.org, webbotauth-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/4KzSkxT7SqWCtMKcksC5dh5J1Gs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Owner: <mailto:ietf-announce-owner@ietf.org>
List-Post: <mailto:ietf-announce@ietf.org>
List-Subscribe: <mailto:ietf-announce-join@ietf.org>
List-Unsubscribe: <mailto:ietf-announce-leave@ietf.org>
A new IETF WG has been formed in the Web and Internet Transport. For additional information, please contact the Area Directors or the WG Chairs. Web Bot Auth (webbotauth) ----------------------------------------------------------------------- Current status: BOF WG Chairs: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> David Schinazi <dschinazi.ietf@gmail.com> Assigned Area Director: Mike Bishop <mbishop@evequefou.be> Web and Internet Transport Directors: Gorry Fairhurst <gorry@erg.abdn.ac.uk> Mike Bishop <mbishop@evequefou.be> Mailing list: Address: web-bot-auth@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/web-bot-auth Archive: https://mailarchive.ietf.org/arch/browse/web-bot-auth/ Group page: https://datatracker.ietf.org/group/webbotauth/ Charter: https://datatracker.ietf.org/doc/charter-ietf-webbotauth/ Automated clients (colloquially, ‘bots’) are increasingly used on the Web. These clients may want to securely authenticate themselves as belonging to a specific entity (a company or developer) or as being part of a specific product (an AI bot, a search engine) for various reasons: 1. Origins wish to manage their resources and access control 2. Both bots and origins seek protection against impersonation and reputation damage 3. Origins may wish to differentiate service levels between automated and non-automated traffic Current solutions (such as IP allowlisting, User-Agent strings, and shared API keys) have significant limitations regarding security, scalability, and manageability. The Web Bot Authentication (webbotauth) Working Group will standardize methods for cryptographically authenticating automated clients and providing additional information about their operators to Web sites. Its products are intended for use by sites that primarily serve human users. # Scope In-scope use cases include cryptographically authenticating access to Web sites for: - Crawlers for search indices - Web archivers - Tools such as link checkers and validators - Crawlers for AI training - AI agents retrieving or interacting with content on behalf of end users The following use cases are out of scope for this work: - Authenticating access to content not intended for human consumption (e.g., HTTP APIs, agent-to-agent interfaces) - Authenticating the end user of a participating client or agent - Authentication for application protocols other than HTTP - Non-cryptographic authentication - Defining a vocabulary for the intents of bots - Tracking or assigning reputation to particular bots - Techniques for distinguishing non-participating bots from non-bot clients There is significant industry work on "agents," where an automated client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope. # Deliverables The Working Group will deliver: - Standards track document(s) describing technique(s) for authenticating automated clients to Web sites intended for humans. - Standards track document(s) describing a mechanism to convey more information about a requesting bot using an existing widely-used identifier (such as a domain name, hostname, or URL). - Best current practice and/or Informational document(s) describing operational considerations such as lifecycle management, key management, deployment considerations, etc. It will also address impacts on the openness of the web. The new authentication methods produced by this working group can add burden to bot clients and web sites. The working group will consider this additional burden, taking care to avoid architectural bottlenecks. # Liaison The Working Group is expected to liaise with the AIPREF, HTTPBIS, OAUTH, TLS, and WIMSE Working Groups as appropriate on any relevant documents. Milestones: Apr 2026 - Standards track specification(s) describing authentication technique(s) sent to the IESG Apr 2026 - Standards track specification(s) describing a means for conveying additional information about bots sent to the IESG Aug 2026 - Best Current Practice operational specification sent to the IESG