A short minutes report on http-auth side-meeting (Bar-BoF)

20:00-21:30, Wednesday 30 March 2011, Karlin 3, IETF 80

Agenda Done

  • Presentation about the http-auth's future
  • Presentation about the http mutual authentication proposal
    • These presentations available here
  • A lot of discussions, time extending

Discussion Minutes

(order not preserved)

General matters

  • We need to fix the current broken HTTP/Web authentication :-)
  • Need more clearer statement of the requirements and problem statement
    • We need non-Web application considerations as well as Web applications
    • How about applications like Enterprise usages?
      • e.g. HTTP Negotiate used with Windows Active Directory
    • Client machine authentication ... hard but we may need
    • Relationship with other area/WG, e.g. abfab, TLS, ...
    • There may be a different requirements for an other use-cases we should think of
  • We do not need a single solution to discuss and to choose, we may have multiple options
  • Interoperability important, as the same as Kerberos or OpenID

HTTP Mutual authentication, in general

  • We'd better have backward compatibility
  • We'd be happy if we can have step-by-step increment of security-improving transition
    • e.g. first with existing client, next by changing client, last by server replacement
  • We'd be hate of having 300+ passwords for many websites

HTTP Mutual authentication, UI and client issues

  • About backward compatibility
  • We need more Browser Guys to be involved
  • Can it not be forge-able by canvas? -- no
  • Web designer will be unhappy and will not use it?
    • We can not give everything they want, but we can provide some help
  • Is it an IETF topic? Where to discuss?
    • IIB (see below) will be in May
  • We need an MSIE support, for deployment
  • Can we have better UI, assuming tab-browser experiences?

HTTP Mutual authentication, IP issues

  • How about the current IPR status of the proposal?
    • oiwa: a reported issue in the initial -00 draft is fixed now
    • It is unrelated with AugAKE, proposed by another man in the same org
    • secarea had difficulty in past with IPSec and others, we must be careful this time
  • We can be starting with the current proposal, and if we needed, cryptography parts can be replaced afterwards
    • Can the proposal modularized? (oiwa: yes)
    • Oiwa: I have now an intent to separate the draft to 3 parts: general framework, HTTP auth extension, and the cryptography primitive used
  • We need cross-area discussions
  • What the PAKE means here --- in this room, it is used as a protocol group, not a specific crypto primitive

HTTP Mutual authentication, technical questions

  • Can it really assure that the server knows the password? --- yes
  • Is there a need of server-side password storage? --- The server-side User DB are stored in a way that it is not reusable for any other servers even if it is stolen
  • How about session hijacking? --- we need TLS for a complete security
    • Does an unencrypted HTTP use make sense? --- at least there is a need in the real world
  • How about channel binding? --- under TLS it does.

The logistics for our future

  • Are we going to have a BoF in Quebec?
    • advises from person who knows well about IETF procedures absolutely needed
    • We should start the effort now, leaving a much preparation time for Quebec
  • Where to have a discussion?
  • W3C "Identity in Browser workshop" will be in San Francisco, in May
Last modified 9 years ago Last modified on Apr 1, 2011, 1:32:04 AM