Re: [OAUTH-WG] draft-oiwa-http-mutualauth-06
Yutaka OIWA <y.oiwa@aist.go.jp> Fri, 26 February 2010 18:04 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 238B728C212 for <oauth@core3.amsl.com>; Fri, 26 Feb 2010 10:04:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.339
X-Spam-Level:
X-Spam-Status: No, score=-4.339 tagged_above=-999 required=5 tests=[AWL=-6.261, BAYES_00=-2.599, FAKE_REPLY_C=2.012, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q7DF1rmPxacs for <oauth@core3.amsl.com>; Fri, 26 Feb 2010 10:04:20 -0800 (PST)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id A9E143A72CD for <oauth@ietf.org>; Fri, 26 Feb 2010 10:04:20 -0800 (PST)
Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id o1QI6YU1020482 for <oauth@ietf.org>; Sat, 27 Feb 2010 03:06:34 +0900 (JST) env-from (y.oiwa@aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1267207595; bh=CfIbhUeUe0c8s33fGV/bnxlFz3AGGpTJ2twwKMgJamg=; h=From:Date:Message-ID; b=qEarqvL1T93CvKctPsLvVd8LjSDMPeUKh3krAJgSTebMdCayf4G5v0/OjUB2UkpaU 8wgI7M9Z4LtRF2BTTl+983BCmjZ6qATdEnUTpEB0MbJ6WoHAAlzAcThuWGdnS0pqXB mGXObzJwB4i10Uwqqlxji/leOzUPTmaioA8fiRWc=
Received: from smtp3.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id o1QI6YtA006579 for <oauth@ietf.org>; Sat, 27 Feb 2010 03:06:34 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Received: by smtp3.aist.go.jp with ESMTP id o1QI6XC6021654 for <oauth@ietf.org>; Sat, 27 Feb 2010 03:06:33 +0900 (JST) env-from (y.oiwa@aist.go.jp)
To: OAuth WG <oauth@ietf.org>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Sat, 27 Feb 2010 03:06:33 +0900
Message-ID: <87635jan2u.fsf@bluewind.rcis.aist.go.jp>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [OAUTH-WG] draft-oiwa-http-mutualauth-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2010 18:04:22 -0000
Dear people in OAuth WG mailing list,
I recently updated the draft for HTTP Mutual Access Authorization
Protocol. The draft is available from IETF website at
<http://tools.ietf.org/html/draft-oiwa-http-mutualauth-06>.
This protocol was first proposed to the httpbis WG, and as suggested
there previously (in IETF 74), I send this to OAuth WG at this time.
Although the protocol itself is designed separately from the OAuth
protocol, I believe that this protocol is beneficial for many OAuth
users. Please take a look on it, and comments are always welcome.
This -06 revision is a minor update: I have integrated several useful
comments received from many people. I'm very grateful for those comments.
I'm going to attend both the OAuth WG and the Httpbis WG at Anaheim,
So I'm looking forward to seeing you there.
If you're interested, please search for us in Anaheim,
and I can make a demonstration there.
# The demonstration is also available on our website
# <https://www.rcis.aist.go.jp/special/MutualAuth/>, but you will
# need to install a browser with the protocol support there.
A very short introduction:
This protocol provides true mutual authentication between HTTP clients
and servers using simple password-based authentication in a very
secure way. This protocol enables clients to check whether the SERVER
knows the user's entity (encrypted password), and also ensure that the
client password itself will not be exposed to a peer server. By using
this protocol we can protect the client's passwords from forged
(phishing) servers. Furthermore, the mutual authentication provided by
this protocol will also protect other important information from
phishing attacks.
More details are available on the draft and a preprint available from
our website <https://www.rcis.aist.go.jp/special/MutualAuth/>.
Some issues currently pending:
o Format of the "Authentication-Control" header and other header
fields extending the general HTTP authentication scheme, and
harmonization of those with other draft proposals such as
<http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0086.html>
and Thomas' 308 status code proposal
<http://lists.w3.org/Archives/Public/public-web-security/2010Jan/0001.html>.
o Restructuring of the draft, possibly separating it to several
parts, e.g. introduction, general HTTP extensions and Mutual
authentication. I am currently planning to do it after the
harmonization above.
--
Yutaka OIWA, Ph.D. Research Scientist
Research Center for Information Security (RCIS)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- Re: [OAUTH-WG] draft-oiwa-http-mutualauth-06 Yutaka OIWA