NOTICE: As of 2022-12-02 this Trac wiki is no longer maintained. Please see NEW WIKI for the current version of the IETF HTTP-Auth WG Wiki.

Welcome to the HTTP-Auth WG Trac installation

08-Oct-2013 Virtual Interim Meeting

Minutes are below!
For now, you can get the audio recording here

HTTP-AUTH Virtual Interim Meeting
Tuesday, October 8. 15:00 - 16:30 UTC

Present at the interim meeting were:

  • Yoav Nir
  • Matt Lepinski
  • Yutaka Oiwa
  • Stephen Farrell
  • Carsten Bormann
  • Nico Williams

The purpose of the interim meeting was to resolve open issues in the document: draft-ietf-httpauth-mutual-00

The following open issues were discussed at the meeting:
(See: )

  • #2: Use of TLS Channel Binding for tls-key
  • #3: A few issues with pwd-hash
  • #4: Some issues with Authentication Realm
  • #5: Is STALE needed?
  • #6: Issues in Section 6
  • #7: What is the value of non-mandatory auth?
  • #8: Security Considerations Issues
  • #9: Simplified protocol description "crypto paper"-style

The following action items resulted from the meeting:


The authors will produce text explaining the issue and, in particular, why they chose not to re-use web origin (RFC 6454). The authors will send this explanatory text to the mailing list.


The authors are hesitant to use the mechanism in RFC 5929 because they are concerned about the adoption status of RFC 5929 and don't want a dependency on RFC 5929 to hinder implementation of the mutal-auth mechanism. Several working group participants feel quite strongly that RFC 5929 is the future, and that HTTPAUTH is well-served to use the already-standardized channel binding mechanism.

The authors will send a message to the list and propose a way forward on this issue.


The authors explained that this feature is present for backward compatibility with existing password databases. There were multiple opinions on the call regarding whether this backward compatibility is important. (That is, are entities that have large legacy password databases likely to migrate to Mutual-Auth if this backward compatibility is provided?)

The chairs will start a discussion on the list to try to get input from a wider set of people regarding whether the PWD-hash feature is useful. The authors indicated they are willing to remove this feature if it turns out that the community does not think it is useful.


The next version of the Mutual-Auth draft will incorporate the idea of how long the server should keep session information

===ISSUE #6=== The authors explained that this is not an issue that needs to be resolved. That is, the nonce in mutual-auth plays the role of the client nonce in the digest scheme and therefore it is correct that it be generated by the client.


The authors will move non-mandatory auth into the optional draft.


There seems to be a need for common text (in the HTTP-AUTH working group) for all password-using drafts to put into Security Considerations. The authors that have HTTP-AUTH drafts that use passwords will co-ordinate to produce appropriate considerations text.

There was a request for the authors to add a reference to outside (non-IETF) documents that discuss the security analysis of the Mutual Auth protocol.

The chairs will discuss with the authors off-line whether it is appropriate to loop in the CFRG for discussion of the security of the Mutual Auth protocol.


A request was made for a simplified description of the entire mechanism. (That is, on the level of "Alice sends this to Bob and then Bob replies with such and such".) The authors will see if they can come up with something appropriate.

Starting Points

For a complete list of local wiki pages, see TitleIndex.

Last modified 4 months ago Last modified on 02/12/22 16:59:34