Changes between Initial Version and Version 1 of HttpAuthProposals/MutualAuth

Jun 4, 2012, 9:42:02 PM (7 years ago)



  • HttpAuthProposals/MutualAuth

    v1 v1  
     1= HTTP Mutual authentication protocol =
     3== The Internet-Draft ==
     6Previous versions are available as [ draft-oiwa-http-mutualauth]
     8 * To implement it, you may need a crypto suite separately: one example is available as
     9[ draft-oiwa-http-mutualauth-algo]
     11== Overview ==
     12 * Strong authentication using password or any possibly-weak shared secrets
     13   * Secrets will never be leaked to eavesdroppers and protocol recipients, even if they exploit exhaustive searches on possible passwords
     14     * For cryptographers: using PAKE (or ZKPP) for it
     15 * Strong mutual authentication: Web users can distinguish their registered Websites from fake servers, protection against web frauds
     16 * Strictly based on HTTP 2617 or httpbis-p7, allowing easy system integration
     17 * Additional support for Web applications using [../AuthExtension a companion proposal]
     18   * Support for guest users, log-out control, page navigation on authentication events, and more
     19   * See that proposal for more details
     20 * Channel Binding to HTTPS
     21 * Fixed several loopholes of Digest
     22   * Strong-enough hashes, no fixed crypto primitive, strict replay attack protection within fixed amount of memory (per each session key)
     24== Implementations ==
     26Reference implementations are available on [ project homepage]
     27 * Web browser (modified Mozilla Firefox)
     28 * Web server module (Apache module)
     30We also have 2nd implementations on each side: a standalone client, and purely Ruby-based server implementation (to be published).
     32== Comparisons (or non-comparisons) ==
     34Please refer draft Section 1 for comparisons (or non-conflicting relations) to existing technologies.
     36== Possible deployments ==
     38 * Replacing Basic and Digest is quite easy: it's just a drop-in replacement sharing httpbis-p7 framework.  For Digest, even password DB can be migrated.
     39 * Replacing Web Forms: the pair of this proposal and [../AuthExtension the companion] can be considered as pre-implemented API framework:  refer section 5 of the companion draft for possible deployment tactics.
     40   * If you really want, on several application server frameworks (i.e. except Apache), you can implement the whole protocol on the web application layer (contrary to web-server layer).