[websec] HTTP-Auth BoF meeting in Atlanta

Yoav Nir <ynir@checkpoint.com> Tue, 02 October 2012 10:27 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EADCB21F8B1B for <websec@ietfa.amsl.com>; Tue, 2 Oct 2012 03:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id cxyKWKPwRSlf for <websec@ietfa.amsl.com>; Tue, 2 Oct 2012 03:27:46 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0F0F421F8ACC for <websec@ietf.org>; Tue, 2 Oct 2012 03:27:45 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com []) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q92ARhQU010160 for <websec@ietf.org>; Tue, 2 Oct 2012 12:27:43 +0200
X-CheckPoint: {506AC088-A-1B221DC2-2FFFF}
Received: from il-ex03.ad.checkpoint.com ( by il-ex01.ad.checkpoint.com ( with Microsoft SMTP Server (TLS) id; Tue, 2 Oct 2012 12:27:43 +0200
Received: from il-ex01.ad.checkpoint.com ([]) by il-ex03.ad.checkpoint.com ([]) with mapi; Tue, 2 Oct 2012 12:27:43 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "IETF WG (websec@ietf.org)" <websec@ietf.org>
Date: Tue, 02 Oct 2012 12:27:41 +0200
Thread-Topic: HTTP-Auth BoF meeting in Atlanta
Thread-Index: Ac2ghvCoJnFQnW3RREKTP8LDlNm3qA==
Message-ID: <006FEB08D9C6444AB014105C9AEB133F017A7FA6F452@il-ex01.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Subject: [websec] HTTP-Auth BoF meeting in Atlanta
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2012 10:27:47 -0000

Hi all

In Vancouver, the httpbis working group declined to adopt any of the proposed authentication schemes. 

In the coming IETF meeting, the security area is going to have a BoF with the intention of forming a working group to create a bunch of experimental RFCs for new authentication methods in HTTP.

There are quite a few proposed methods. Follow this URL to see a list: http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HttpAuthProposals

If you are interested in this topic, we'd be happy to see you in the BoF.  One thing that I think is missing from the discussion is the UI implications of authentication at the HTTP layer. It has been suggested that UI issues are the reason for the relatively sparse deployment of HTTP layer authentication, but I don't think the current discussion has been informed by UI experts who could tell us what future authentication methods should do in terms of UI to gain meaningful deployment. If you or someone you know has such expertise and would be willing to speak at the Atlanta BoF, please contact Derek Atkins and me offline.

(with BoF chair hat on)