[secdir] [new-work] WG Review: Web Bot Auth (webbotauth)
The IESG <iesg@ietf.org> Thu, 02 October 2025 15:01 UTC
Return-Path: <forwardingalgorithm@ietf.org>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from mail2.ietf.org (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 68DC76C7428B for <secdir@mail2.ietf.org>; Thu, 2 Oct 2025 08:01:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1759417310; bh=oYDWqT4e4pPnT8e8BpYxLn74Hikx8tjgci9oDaglkH8=; h=From:To:Date:Reply-To:Subject:List-Id:List-Archive:List-Help: List-Owner:List-Post:List-Subscribe:List-Unsubscribe; b=FFKDBuArjZ9Dem48ho04DabR6wGh3f/qCdkFxXFWQBpQrPJQ5RbCN4xy+TXzwmO5S U8IZGAD/UNXGVcIgBC6jMn+czlpWD4vmyKvpqk/7kXSlDHnd4Q/W2zSPRZImqwuVke rXz70vs/05MuBiI3w98ylziW5EcH29F+E+t+CegE=
X-Mailbox-Line: From new-work-bounces+secdir=ietf.org@ietf.org Thu Oct 2 08:01:50 2025
Received: from mail2.ietf.org (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6038A6C74287 for <secdir@ietf.org>; Thu, 2 Oct 2025 08:01:50 -0700 (PDT)
X-Original-To: new-work@ietf.org
Delivered-To: new-work@mail2.ietf.org
Received: from [10.244.8.182] (unknown [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id B8C766C741F0 for <new-work@ietf.org>; Thu, 2 Oct 2025 08:01:44 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
From: The IESG <iesg@ietf.org>
To: new-work@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.50.0
Auto-Submitted: auto-generated
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Reply_to: <iesg@ietf.org>
Message-ID: <175941730469.2985950.2386625589836986828@dt-datatracker-6c6cdf7f94-h6rnn>
Date: Thu, 02 Oct 2025 08:01:44 -0700
X-MailFrom: iesg@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-new-work.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Content-Transfer-Encoding: base64
Message-ID-Hash: XXPE7MI7RHTE5WNP435BMPH7WGXYJXBP
X-Message-ID-Hash: XXPE7MI7RHTE5WNP435BMPH7WGXYJXBP
X-MailFrom: forwardingalgorithm@ietf.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0
Reply-To: iesg@ietf.org
Subject: [secdir] [new-work] WG Review: Web Bot Auth (webbotauth)
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HyV2HOLmRjOt0GILfFl83aZVZno>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
A new IETF WG has been proposed in the Web and Internet Transport. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2025-10-12. Web Bot Auth (webbotauth) ----------------------------------------------------------------------- Current status: BOF WG Chairs: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> David Schinazi <dschinazi.ietf@gmail.com> Assigned Area Director: Mike Bishop <mbishop@evequefou.be> Web and Internet Transport Directors: Gorry Fairhurst <gorry@erg.abdn.ac.uk> Mike Bishop <mbishop@evequefou.be> Mailing list: Address: web-bot-auth@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/web-bot-auth Archive: https://mailarchive.ietf.org/arch/browse/web-bot-auth/ Group page: https://datatracker.ietf.org/group/webbotauth/ Charter: https://datatracker.ietf.org/doc/charter-ietf-webbotauth/ Automated clients (colloquially, ‘bots’) are increasingly used on the Web. These clients may want to securely authenticate themselves as belonging to a specific entity (a company or developer) or as being part of a specific product (an AI bot, a search engine) for various reasons: 1. Origins wish to manage their resources and access control 2. Both bots and origins seek protection against impersonation and reputation damage 3. Origins may wish to differentiate service levels between automated and non-automated traffic Current solutions (such as IP allowlisting, User-Agent strings, and shared API keys) have significant limitations regarding security, scalability, and manageability. The Web Bot Authentication (webbotauth) Working Group will standardize methods for cryptographically authenticating automated clients and providing additional information about their operators to Web sites. Its products are intended for use by sites that primarily serve human users. # Scope In-scope use cases include cryptographically authenticating access to Web sites for: - Crawlers for search indices - Web archivers - Tools such as link checkers and validators - Crawlers for AI training - AI agents retrieving or interacting with content on behalf of end users The following use cases are out of scope for this work: - Authenticating access to content not intended for human consumption (e.g., HTTP APIs, agent-to-agent interfaces) - Authenticating the end user of a participating client or agent - Authentication for application protocols other than HTTP - Non-cryptographic authentication - Defining a vocabulary for the intents of bots - Tracking or assigning reputation to particular bots - Techniques for distinguishing non-participating bots from non-bot clients There is significant industry work on "agents," where an automated client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope. # Deliverables The Working Group will deliver: - Standards track document(s) describing technique(s) for authenticating automated clients to Web sites intended for humans. - Standards track document(s) describing a mechanism for web servers to retrieve more information about a requesting bot via an existing widely-used identifier (such as a domain name, hostname, or URL). - Best current practice and/or Informational document(s) describing operational considerations such as lifecycle management, key management, deployment considerations, etc. It will also address impacts on the openness of the web. The new authentication methods produced by this working group can add burden to bot clients and web sites. The working group will consider this additional burden, taking care to avoid architectural bottlenecks. # Liaison The Working Group is expected to liaise with the AIPREF, HTTPBIS, OAUTH, TLS, and WIMSE Working Groups as appropriate on any relevant documents. Milestones: Apr 2026 - Standards track specification(s) describing authentication technique(s) sent to the IESG Apr 2026 - Standards track specification(s) describing a means for conveying additional information about bots sent to the IESG Aug 2026 - Best Current Practice operational specification sent to the IESG _______________________________________________ new-work mailing list -- new-work@ietf.org To unsubscribe send an email to new-work-leave@ietf.org