From ynir@checkpoint.com Thu Feb 9 15:04:11 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB8811E808F; Thu, 9 Feb 2012 15:04:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.466 X-Spam-Level: X-Spam-Status: No, score=-10.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0tPYME8DKdg; Thu, 9 Feb 2012 15:04:11 -0800 (PST) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 038E511E808A; Thu, 9 Feb 2012 15:04:10 -0800 (PST) X-CheckPoint: {4F344D42-0-1B221DC2-1FFFF} Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q19N458e026029; Fri, 10 Feb 2012 01:04:05 +0200 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Fri, 10 Feb 2012 01:04:05 +0200 From: Yoav Nir To: Nico Williams Date: Fri, 10 Feb 2012 01:04:10 +0200 Thread-Topic: [therightkey] As for MITMs, authentication with channel binding would defeat them Thread-Index: Acznfx53GOxIb8r1TGebDXOj3Duuog== Message-ID: <754D9EA1-2418-4438-ABAB-B5F7241AD0A2@checkpoint.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "therightkey@ietf.org" , "http-auth@ietf.org" Subject: Re: [http-auth] [therightkey] As for MITMs, authentication with channel binding would defeat them X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2012 23:04:12 -0000 On Feb 9, 2012, at 7:35 PM, Nico Williams wrote: > The only thing missing, of course, is web user authentication > technologies that scale to the Internet and have channel binding > support. >=20 > I would like to see web userauth technologies that have support for > channel binding. >=20 > If such technologies were in widespread use then MITM CAs would be > useless, therefore rare. >=20 > Is it too late to work on this? The folks over at the ABFAB WG don't > seem to think so, but I want more options than just Project Moonshot > and Kerberos. This thread looks to me like it's more appropriate for the http-auth mailin= g list. The "charter" of therightkey is pretty specific in that it talks ab= out PKI authentication only. This will be a one-time-only cross-post. Yoav= From stpeter@stpeter.im Wed Feb 22 11:12:12 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3995F21F86DF for ; Wed, 22 Feb 2012 11:12:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.627 X-Spam-Level: X-Spam-Status: No, score=-102.627 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0E80clcoAmec for ; Wed, 22 Feb 2012 11:12:11 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC0B21F86DC for ; Wed, 22 Feb 2012 11:12:11 -0800 (PST) Received: from squire.local (unknown [64.101.72.114]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 7B9A540058 for ; Wed, 22 Feb 2012 12:23:26 -0700 (MST) Message-ID: <4F453E0A.7020308@stpeter.im> Date: Wed, 22 Feb 2012 12:12:10 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "http-auth@ietf.org" References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> In-Reply-To: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> X-Enigmail-Version: 1.3.5 OpenPGP: url=https://stpeter.im/stpeter.asc X-Forwarded-Message-Id: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 19:12:12 -0000 FYI, there is a relevant thread happening on other lists... -------- Original Message -------- Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) Date: Wed, 22 Feb 2012 10:39:49 -0800 From: Paul Hoffman To: Stephen Farrell CC: Peter Saint-Andre , ietf-http-wg@w3.org, The IESG , IETF-Discussion On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote: > Regardless of that you do have a fair point that asking > apps folks to do stuff that'll please security folks might > be asking for trouble:-) > > However, the counter to that is that security folks doing > stuff without enough apps input might produce something that > won't get adopted which also doesn't produce the right end > result. > > Anyway, I think this topic, if tackled, won't lack > interested participants and will get plenty of security > and apps input no matter how we organise it. Peter St.Andre's suggestion of a separate WG to deal specifically with HTTP authentication seems like the best way to be sure both sets of parties are fully involved. If the IESG charters it within the next few months, the HTTP 2.0 work can be informed by any changes (if any) that are needed. --Paul Hoffman From nico@cryptonector.com Wed Feb 22 11:25:47 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B284521F8665 for ; Wed, 22 Feb 2012 11:25:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.25 X-Spam-Level: X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[AWL=-0.273, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8eAZnjxTgRVm for ; Wed, 22 Feb 2012 11:25:42 -0800 (PST) Received: from homiemail-a86.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id AB47221F8650 for ; Wed, 22 Feb 2012 11:25:42 -0800 (PST) Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 6DBD7360075 for ; Wed, 22 Feb 2012 11:25:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=dbqFMl5Coc+lcBql6fmzV rX3KvAaaPE0DoE3OBXdXGIKpczYxP5uaUu7Z5FBzeFszO6xmcoAz57SSxcFaNVn6 ypY2PQdRxr+9vJE1lOtTDZQeoPj12S6RgbS1bGrCOTDYW2+CIfg8KFsbYjmrILLn rwalpuADpq07BbupUth4Gw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=/89dKrXgB5JAChMc0wFf 2dQ+7yc=; b=rfv/qyb6u7eDyvUeyaXKHPv3wCJWysYJUubMbUjax38r9dYc76Di XuXtdxUG+vbafzYExCgjWSva0Y7tABIeGpi026vhpc9wyJVgU8442LRbwtLG2hKl 0vbQIyA1sJLFuCnIKZe+BK/ZMzvnxtEMbicwR5T23r1LchdRGCC2ERE= Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPSA id 50EE2360072 for ; Wed, 22 Feb 2012 11:25:42 -0800 (PST) Received: by dakl33 with SMTP id l33so365401dak.31 for ; Wed, 22 Feb 2012 11:25:41 -0800 (PST) Received-SPF: pass (google.com: domain of nico@cryptonector.com designates 10.68.196.168 as permitted sender) client-ip=10.68.196.168; Authentication-Results: mr.google.com; spf=pass (google.com: domain of nico@cryptonector.com designates 10.68.196.168 as permitted sender) smtp.mail=nico@cryptonector.com Received: from mr.google.com ([10.68.196.168]) by 10.68.196.168 with SMTP id in8mr49193482pbc.34.1329938741898 (num_hops = 1); Wed, 22 Feb 2012 11:25:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.196.168 with SMTP id in8mr40691846pbc.34.1329938741881; Wed, 22 Feb 2012 11:25:41 -0800 (PST) Received: by 10.68.221.197 with HTTP; Wed, 22 Feb 2012 11:25:41 -0800 (PST) In-Reply-To: <4F453E0A.7020308@stpeter.im> References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> Date: Wed, 22 Feb 2012 13:25:41 -0600 Message-ID: From: Nico Williams To: Peter Saint-Andre Content-Type: text/plain; charset=UTF-8 Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 19:25:47 -0000 On Wed, Feb 22, 2012 at 1:12 PM, Peter Saint-Andre wrote: > FYI, there is a relevant thread happening on other lists... I agree that a separate WG would be better. From nico@cryptonector.com Wed Feb 22 11:27:18 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8A921F86E0 for ; Wed, 22 Feb 2012 11:27:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.246 X-Spam-Level: X-Spam-Status: No, score=-2.246 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBNXmarFRdwg for ; Wed, 22 Feb 2012 11:27:18 -0800 (PST) Received: from homiemail-a96.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id 5083121F86D1 for ; Wed, 22 Feb 2012 11:27:18 -0800 (PST) Received: from homiemail-a96.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTP id 0D7DF3B8069 for ; Wed, 22 Feb 2012 11:27:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=xUtNmDPZc/Clse1rSnCEs WJMBHLlAesL58sgJEAYdSfZ88/Do2dFObdACzeTj1Xs2bnQ0Oq7TQU1ugDcMF9e+ 7DXFb32RmR3EEJ9AXzbFiF/JQDDSfR5ypb1tUBZfQhwmNza2Nr+7Tj7MEtuMYdXp MwLSNu7hvAeaFImnSei9Eg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=NUspA7UD8WCpH8Of45bA oCltm/c=; b=KRDGpzNrCilozc7TxBWr6Du8sJ+OL+y1g097Fga36QnPWU5DWW9u CpV/qspGcMJuUeITtaasn+IZGVO9npvgd09PWWdmS52xhuaq9nE3g/ujEmRbYxA7 vP8JuqR7A6q0ynodBNT94wN5RKr6Rcfy6h4GVWzImLwHFtVUV/webIM= Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTPSA id E2E223B8062 for ; Wed, 22 Feb 2012 11:27:17 -0800 (PST) Received: by pbcwz7 with SMTP id wz7so510620pbc.31 for ; Wed, 22 Feb 2012 11:27:17 -0800 (PST) Received-SPF: pass (google.com: domain of nico@cryptonector.com designates 10.68.196.168 as permitted sender) client-ip=10.68.196.168; Authentication-Results: mr.google.com; spf=pass (google.com: domain of nico@cryptonector.com designates 10.68.196.168 as permitted sender) smtp.mail=nico@cryptonector.com Received: from mr.google.com ([10.68.196.168]) by 10.68.196.168 with SMTP id in8mr49207869pbc.34.1329938837538 (num_hops = 1); Wed, 22 Feb 2012 11:27:17 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.196.168 with SMTP id in8mr40704432pbc.34.1329938837524; Wed, 22 Feb 2012 11:27:17 -0800 (PST) Received: by 10.68.221.197 with HTTP; Wed, 22 Feb 2012 11:27:17 -0800 (PST) In-Reply-To: References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> Date: Wed, 22 Feb 2012 13:27:17 -0600 Message-ID: From: Nico Williams To: Peter Saint-Andre Content-Type: text/plain; charset=UTF-8 Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 19:27:18 -0000 On Wed, Feb 22, 2012 at 1:25 PM, Nico Williams wrote: > On Wed, Feb 22, 2012 at 1:12 PM, Peter Saint-Andre wrote: >> FYI, there is a relevant thread happening on other lists... > > I agree that a separate WG would be better. And to explain why: I can't subscribe to every WG list. I don't care about all things HTTP, but I care very much about web authentication. That's another thing, I'd say this should be about web authentication, not necessarily HTTP authentication, though the work it does might well be exclusively new HTTP authentication methods. From hotz@jpl.nasa.gov Wed Feb 22 11:55:11 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF7BB21E8010 for ; Wed, 22 Feb 2012 11:55:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.574 X-Spam-Level: X-Spam-Status: No, score=-6.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sksXcejH+9It for ; Wed, 22 Feb 2012 11:55:11 -0800 (PST) Received: from mail.jpl.nasa.gov (mailhost.jpl.nasa.gov [128.149.139.106]) by ietfa.amsl.com (Postfix) with ESMTP id 3F0CE21E800E for ; Wed, 22 Feb 2012 11:55:11 -0800 (PST) Received: from dhcp-128-149-190-134.jpl.nasa.gov (dhcp-128-149-190-134.jpl.nasa.gov [128.149.190.134]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id q1MJt81K004503 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Wed, 22 Feb 2012 11:55:09 -0800 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Henry B. Hotz" In-Reply-To: Date: Wed, 22 Feb 2012 11:55:08 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> To: Nico Williams X-Mailer: Apple Mail (2.1084) X-Source-IP: dhcp-128-149-190-134.jpl.nasa.gov [128.149.190.134] X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 19:55:11 -0000 On Feb 22, 2012, at 11:27 AM, Nico Williams wrote: > On Wed, Feb 22, 2012 at 1:25 PM, Nico Williams = wrote: >> On Wed, Feb 22, 2012 at 1:12 PM, Peter Saint-Andre = wrote: >>> FYI, there is a relevant thread happening on other lists... >>=20 >> I agree that a separate WG would be better. >=20 > And to explain why: I can't subscribe to every WG list. I don't care > about all things HTTP, but I care very much about web authentication. +1 (I'm already subscribed to too many lists to track. If the web auth = stuff were in one place -- even an existing list -- I could trim some of = them.) > That's another thing, I'd say this should be about web authentication, > not necessarily HTTP authentication, though the work it does might > well be exclusively new HTTP authentication methods. +1 ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu From stpeter@stpeter.im Wed Feb 22 12:42:23 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5109E21F861C for ; Wed, 22 Feb 2012 12:42:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.626 X-Spam-Level: X-Spam-Status: No, score=-102.626 tagged_above=-999 required=5 tests=[AWL=-0.027, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qylcEOGaB5QX for ; Wed, 22 Feb 2012 12:42:22 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 7BA6121F861B for ; Wed, 22 Feb 2012 12:42:22 -0800 (PST) Received: from squire.local (unknown [64.101.72.114]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4754640058; Wed, 22 Feb 2012 13:53:37 -0700 (MST) Message-ID: <4F45532C.50509@stpeter.im> Date: Wed, 22 Feb 2012 13:42:20 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "Henry B. Hotz" References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> In-Reply-To: X-Enigmail-Version: 1.3.5 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 20:42:23 -0000 On 2/22/12 12:55 PM, Henry B. Hotz wrote: > > On Feb 22, 2012, at 11:27 AM, Nico Williams wrote: > >> On Wed, Feb 22, 2012 at 1:25 PM, Nico Williams >> wrote: >>> On Wed, Feb 22, 2012 at 1:12 PM, Peter Saint-Andre >>> wrote: >>>> FYI, there is a relevant thread happening on other lists... >>> >>> I agree that a separate WG would be better. >> >> And to explain why: I can't subscribe to every WG list. I don't >> care about all things HTTP, but I care very much about web >> authentication. > > +1 (I'm already subscribed to too many lists to track. If the web > auth stuff were in one place -- even an existing list -- I could trim > some of them.) This list seems to be the right place. >> That's another thing, I'd say this should be about web >> authentication, not necessarily HTTP authentication, though the >> work it does might well be exclusively new HTTP authentication >> methods. > > +1 Good point. Peter -- Peter Saint-Andre https://stpeter.im/ From nico@cryptonector.com Wed Feb 22 13:09:09 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99B621F8562 for ; Wed, 22 Feb 2012 13:09:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.242 X-Spam-Level: X-Spam-Status: No, score=-2.242 tagged_above=-999 required=5 tests=[AWL=-0.265, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6KEOLhBMZok for ; Wed, 22 Feb 2012 13:09:09 -0800 (PST) Received: from homiemail-a31.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 3561421F855D for ; Wed, 22 Feb 2012 13:09:09 -0800 (PST) Received: from homiemail-a31.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTP id E02EA20202C for ; Wed, 22 Feb 2012 13:09:08 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=pKAuoNZ73ywNk8TRQMxic WJBzmV3Nw+HzPv1MXEpFIbuY6s3/S8Iw4Q5dmQc24G0/DJchAYeoHWkCidi64qqY zj0p5M+OJdPxJle2Q+3k0NLeayhgnomorvf3Au3v7wQQ8sWHcrhZNNZahkn2TTAG 0MIxvJ1CXnJVqHw3SYqp38= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=4jCvGxyTpFoPNzZacV8h 7Hx/Pqk=; b=H59eYgXlNpFgD0PvGPDyhrSMegzuzQ0OLGUR4dZVnv3DdDe8jOab OrYSd53OYOnQ3cHpYzK9srAlBOEd79I88rAe1SDBYgdmoBzD9B7WBlZO8QQe9wR9 FC7giSifxr2mZ4ZlCp6dn3zuYfj3KpVryiRLAdaa1uc+yB/iE35TO1Y= Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTPSA id BCAD3202022 for ; Wed, 22 Feb 2012 13:09:08 -0800 (PST) Received: by dakl33 with SMTP id l33so453881dak.31 for ; Wed, 22 Feb 2012 13:09:08 -0800 (PST) Received-SPF: pass (google.com: domain of nico@cryptonector.com designates 10.68.223.167 as permitted sender) client-ip=10.68.223.167; Authentication-Results: mr.google.com; spf=pass (google.com: domain of nico@cryptonector.com designates 10.68.223.167 as permitted sender) smtp.mail=nico@cryptonector.com Received: from mr.google.com ([10.68.223.167]) by 10.68.223.167 with SMTP id qv7mr44255661pbc.139.1329944948461 (num_hops = 1); Wed, 22 Feb 2012 13:09:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.223.167 with SMTP id qv7mr36581160pbc.139.1329944948447; Wed, 22 Feb 2012 13:09:08 -0800 (PST) Received: by 10.68.221.197 with HTTP; Wed, 22 Feb 2012 13:09:08 -0800 (PST) In-Reply-To: <4F45532C.50509@stpeter.im> References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F45532C.50509@stpeter.im> Date: Wed, 22 Feb 2012 15:09:08 -0600 Message-ID: From: Nico Williams To: Peter Saint-Andre Content-Type: text/plain; charset=UTF-8 Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 21:09:09 -0000 Also, the reasons I want to focus on web authentication instead of HTTP: - technically it *is* web authentication that we need to fix, not HTTP authentication, even if fixing HTTP authentication turns out to be all we end up doing - my own proposal, REST-GSS, is to do authentication at the application layer, not in HTTP Nico -- From bkihara.l@gmail.com Thu Feb 23 00:09:49 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B799721F8512 for ; Thu, 23 Feb 2012 00:09:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.025 X-Spam-Level: X-Spam-Status: No, score=-2.025 tagged_above=-999 required=5 tests=[AWL=1.574, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSmEEGpKHL35 for ; Thu, 23 Feb 2012 00:09:48 -0800 (PST) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 91DAD21F852F for ; Thu, 23 Feb 2012 00:09:40 -0800 (PST) Received: by wgbdt10 with SMTP id dt10so562742wgb.13 for ; Thu, 23 Feb 2012 00:09:39 -0800 (PST) Received-SPF: pass (google.com: domain of bkihara.l@gmail.com designates 10.180.80.35 as permitted sender) client-ip=10.180.80.35; Authentication-Results: mr.google.com; spf=pass (google.com: domain of bkihara.l@gmail.com designates 10.180.80.35 as permitted sender) smtp.mail=bkihara.l@gmail.com; dkim=pass header.i=bkihara.l@gmail.com Received: from mr.google.com ([10.180.80.35]) by 10.180.80.35 with SMTP id o3mr334937wix.5.1329984579721 (num_hops = 1); Thu, 23 Feb 2012 00:09:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=b6UlfuvO+WyAjWmtpFPbKffpg0lrjzaFXFlBgIfurwY=; b=ErysqCpgXK4aSURHpzR0Zr9mmYb+fDRL1hztem5T+v8bu5y9by3mQiZ74Dk+mIeSZL Cex7xcFT+8kH0UrE0KcbiPKhm9IvfxE2CpdIQVbNC2ycXR0hmStDODrsUSO0bjS8nQ0W HBIHXlHTIfopl6TogB1Sfq+S3ym1RshZ7D9DA= MIME-Version: 1.0 Received: by 10.180.80.35 with SMTP id o3mr271174wix.5.1329984579651; Thu, 23 Feb 2012 00:09:39 -0800 (PST) Received: by 10.180.146.73 with HTTP; Thu, 23 Feb 2012 00:09:39 -0800 (PST) In-Reply-To: References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F45532C.50509@stpeter.im> Date: Thu, 23 Feb 2012 17:09:39 +0900 Message-ID: From: "KIHARA, Boku" To: Nico Williams Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2012 08:09:50 -0000 Nico Williams : > Also, the reasons I want to focus on web authentication instead of HTTP: > > =A0- technically it *is* web authentication that we need to fix, not > =A0 HTTP authentication, even if fixing HTTP authentication turns > =A0 out to be all we end up doing +1 What we need is secure web, not secure HTTP. From y.oiwa@aist.go.jp Thu Feb 23 07:01:23 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA6621F8839 for ; Thu, 23 Feb 2012 07:01:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.09 X-Spam-Level: X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPyRO8jNpdtz for ; Thu, 23 Feb 2012 07:01:22 -0800 (PST) Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by ietfa.amsl.com (Postfix) with ESMTP id F008021F8833 for ; Thu, 23 Feb 2012 07:01:21 -0800 (PST) Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id q1NF1GeJ009381; Fri, 24 Feb 2012 00:01:16 +0900 (JST) env-from (y.oiwa@aist.go.jp) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1330009277; bh=dqY8yFLJ7nbvm5zhnGxOHxywoQ6xcRTFNuK6rbkNGCk=; h=Message-ID:Date:From; b=KtmlR1ifOQig6e8HOFtS+aNsdsl7umV0+BAzCoWVPAHHelehsKmpovr7luBCa3YZd nfoXkhQBVceUgXsK3+t79xf8lZuAZG3wdfSR1gX4s0/B7HE3DBjPXZ7vb6yzYyZEky 00l4cZN5VxsbD4MwrE5Lnl6Xk9if2ULi5YUtv/Jc= Received: from smtp3.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id q1NF1G46009504; Fri, 24 Feb 2012 00:01:16 +0900 (JST) env-from (y.oiwa@aist.go.jp) Received: by smtp3.aist.go.jp with ESMTP id q1NF1DD7008210; Fri, 24 Feb 2012 00:01:14 +0900 (JST) env-from (y.oiwa@aist.go.jp) Message-ID: <4F4654B8.40102@aist.go.jp> Date: Fri, 24 Feb 2012 00:01:12 +0900 From: Yutaka OIWA User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Nico Williams References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F45532C.50509@stpeter.im> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2012 15:01:23 -0000 Dear Nico, Peter and all, On 2012/02/23 6:09, Nico Williams wrote: > - technically it *is* web authentication that we need to fix, not > HTTP authentication, even if fixing HTTP authentication turns > out to be all we end up doing Yes, agreed on our main goal. At the same time, we have been considered the following things when we first proposed the current HTTP-auth name: - Although the main goal is web security, there is also a need either to develop or to apply web-based technologies to the non-web authentications as well. We should not limit our focus on the technologies which are "unwantedly limited" to Web authentications (if there is a technical reason to do so, it is OK.) - Considering the "web" layer, the focus may include other working areas as well: abfab (although they name themselves "beyond the web"), W3C, other standardizing bodies as well. HTTP is clearly the primary area of IETF. I think that name of Web auth is natural considering our main goal, but in problem stating and chartering phases we will have to work out clear topic definitions. Oppositely, if we rephrase it to Web authentication, it may be including some more interesting topics like relation between authentication and off-line contents (or other long-lived contents). Let's go on and have discussions soon. Any ideas for such expanded topics? > - my own proposal, REST-GSS, is to do authentication at the > application layer, not in HTTP I personally thought that yours is not in the HTTP but on the HTTP, so it is OK even under the current name :-) -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: , OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] From stephen.farrell@cs.tcd.ie Thu Feb 23 07:06:52 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7B8221F8691 for ; Thu, 23 Feb 2012 07:06:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.69 X-Spam-Level: X-Spam-Status: No, score=-103.69 tagged_above=-999 required=5 tests=[AWL=-1.091, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g10KKgADemfK for ; Thu, 23 Feb 2012 07:06:51 -0800 (PST) Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 0A56321F85A8 for ; Thu, 23 Feb 2012 07:06:45 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 4DBB2171CB9; Thu, 23 Feb 2012 15:06:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1330009604; bh=/NDXAiGgoT1byX P6pZO9NP5HdneuTDOcpdJpQtLUvqQ=; b=aYQzZsRVLvhj1fMm1rBH/5I8I+YRs0 JEN32gARto/xd4tJfp82D+IM8RAxUWRrvr9O3Gf5S6d2lL4lwt5nolrIs+JEJoyH 2PGuMTIij4W7XIEw1dxaGgSTd49M0SWRj6DR1Lyu0jOY70g+tcdZgeOpPkDZppyg MEfe2PELZHd8TbmSWGHiBzYOQVNqpwdSc89ostBXLh1hpaYVIvXB6/NswtDH5do0 aZIMIbLIPeJxGlAlC7amxrsoBIBbmPm1dgyMp1ZQZjoYIdHbgx6L2QUAWiofnXu/ fGDqomTP67xnXRNwgi8FynFNKDBC+0ha/zVKgRgOmPCh1HzTOiL6jWkg== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id u-eUJrgeok70; Thu, 23 Feb 2012 15:06:44 +0000 (GMT) Received: from [134.226.62.183] (cswireless62-183.scss.tcd.ie [134.226.62.183]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 75B10171BFF; Thu, 23 Feb 2012 15:06:44 +0000 (GMT) Message-ID: <4F465604.2080501@cs.tcd.ie> Date: Thu, 23 Feb 2012 15:06:44 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "http-auth@ietf.org" References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> In-Reply-To: <4F453E0A.7020308@stpeter.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2012 15:06:52 -0000 So I've a question for people on this list. How many of you would be able to authoritatively say whether or not some new http authentication technology that might be produced in a separate http authentication wg would actually be adopted? (Where "authoritatively say" has the usual qualifications that we're not discussing specific product plans etc. etc.) I'm not sure myself but am concerned that we not spin up a security WG the output of which gets more-or-less ignored by the major vendors/implementers. I don't know if that's the case or not, but, assuming that this list has many of the people who'd work in such a WG, I'd like to have a better feel for that so's we don't do the wrong thing. I realise that if such a WG were chartered, then new folks would also come along as well, so this is just looking for another input, and isn't intended to produce any definitive answer to anything. S PS: I guess its possible some people might prefer to answer this off-list (or partly off-list). If so, maybe mail Peter and myself and we can summarise back to the list later. On 02/22/2012 07:12 PM, Peter Saint-Andre wrote: > FYI, there is a relevant thread happening on other lists... > > -------- Original Message -------- > Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis > (httpbis) > Date: Wed, 22 Feb 2012 10:39:49 -0800 > From: Paul Hoffman > To: Stephen Farrell > CC: Peter Saint-Andre, ietf-http-wg@w3.org, > The IESG, IETF-Discussion > > On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote: > >> Regardless of that you do have a fair point that asking >> apps folks to do stuff that'll please security folks might >> be asking for trouble:-) >> >> However, the counter to that is that security folks doing >> stuff without enough apps input might produce something that >> won't get adopted which also doesn't produce the right end >> result. >> >> Anyway, I think this topic, if tackled, won't lack >> interested participants and will get plenty of security >> and apps input no matter how we organise it. > > > Peter St.Andre's suggestion of a separate WG to deal specifically with > HTTP authentication seems like the best way to be sure both sets of > parties are fully involved. If the IESG charters it within the next few > months, the HTTP 2.0 work can be informed by any changes (if any) that > are needed. > > --Paul Hoffman > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth > From ynir@checkpoint.com Thu Feb 23 07:27:52 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DC6D21F85BE for ; Thu, 23 Feb 2012 07:27:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.445 X-Spam-Level: X-Spam-Status: No, score=-10.445 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaSdIlxOG7lZ for ; Thu, 23 Feb 2012 07:27:51 -0800 (PST) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 14F6E21F848C for ; Thu, 23 Feb 2012 07:27:50 -0800 (PST) X-CheckPoint: {4F4656C7-3-1B221DC2-1FFFF} Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q1NFRl7Q032382; Thu, 23 Feb 2012 17:27:47 +0200 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 23 Feb 2012 17:27:47 +0200 From: Yoav Nir To: Stephen Farrell Date: Thu, 23 Feb 2012 17:27:49 +0200 Thread-Topic: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) Thread-Index: AczyP7FYZ9EFhXOoTk28pIslUT65JQ== Message-ID: References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> In-Reply-To: <4F465604.2080501@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2012 15:27:52 -0000 Hi IMO the drivers here are the web browsers, because UI is the hard issue. If= we standardize New Super Cool Authentication for HTTP (or the applications= ) it would be relatively easy for someone to write mod_nsca for Apache and = whatever add-ons are called for IIS. Similarly, modifying wget or CURL to s= upport it should also be a short exercise. Getting it in browsers from mobile phones to big screens in such a way that= carefully tailored HTML5 cannot be made to mimic the UX is a far greater c= hallenge. So in my opinion, if we can get at least some of the browser implementors t= o do it (Yukata Oiwa's modified Firefox is a start, I guess) then the serve= rs will follow.=20 Once we get past that, the next hurdle would be to convince web designers t= o actually use it. But that's for the future, and really depends on how bro= wsers implement it. It's all riding on the browsers. Yoav On Feb 23, 2012, at 5:06 PM, Stephen Farrell wrote: >=20 > So I've a question for people on this list. >=20 > How many of you would be able to authoritatively say whether > or not some new http authentication technology that might be > produced in a separate http authentication wg would actually > be adopted? (Where "authoritatively say" has the usual > qualifications that we're not discussing specific product > plans etc. etc.) >=20 > I'm not sure myself but am concerned that we not spin up a > security WG the output of which gets more-or-less ignored by > the major vendors/implementers. >=20 > I don't know if that's the case or not, but, assuming that > this list has many of the people who'd work in such a WG, I'd > like to have a better feel for that so's we don't do the > wrong thing. >=20 > I realise that if such a WG were chartered, then new folks > would also come along as well, so this is just looking for > another input, and isn't intended to produce any definitive > answer to anything. >=20 > S >=20 > PS: I guess its possible some people might prefer to answer > this off-list (or partly off-list). If so, maybe mail Peter > and myself and we can summarise back to the list later. >=20 > On 02/22/2012 07:12 PM, Peter Saint-Andre wrote: >> FYI, there is a relevant thread happening on other lists... >>=20 >> -------- Original Message -------- >> Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis >> (httpbis) >> Date: Wed, 22 Feb 2012 10:39:49 -0800 >> From: Paul Hoffman >> To: Stephen Farrell >> CC: Peter Saint-Andre, ietf-http-wg@w3.org, >> The IESG, IETF-Discussion >>=20 >> On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote: >>=20 >>> Regardless of that you do have a fair point that asking >>> apps folks to do stuff that'll please security folks might >>> be asking for trouble:-) >>>=20 >>> However, the counter to that is that security folks doing >>> stuff without enough apps input might produce something that >>> won't get adopted which also doesn't produce the right end >>> result. >>>=20 >>> Anyway, I think this topic, if tackled, won't lack >>> interested participants and will get plenty of security >>> and apps input no matter how we organise it. >>=20 >>=20 >> Peter St.Andre's suggestion of a separate WG to deal specifically with >> HTTP authentication seems like the best way to be sure both sets of >> parties are fully involved. If the IESG charters it within the next few >> months, the HTTP 2.0 work can be informed by any changes (if any) that >> are needed. >>=20 >> --Paul Hoffman >>=20 >> _______________________________________________ >> http-auth mailing list >> http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth >>=20 > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth >=20 > Scanned by Check Point Total Security Gateway. From nico@cryptonector.com Thu Feb 23 08:01:34 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88A5421F87E3 for ; Thu, 23 Feb 2012 08:01:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.239 X-Spam-Level: X-Spam-Status: No, score=-2.239 tagged_above=-999 required=5 tests=[AWL=-0.262, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mB0sCc3kWvHE for ; Thu, 23 Feb 2012 08:01:33 -0800 (PST) Received: from homiemail-a72.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 025CF21F87E0 for ; Thu, 23 Feb 2012 08:01:32 -0800 (PST) Received: from homiemail-a72.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTP id A21466B007E for ; Thu, 23 Feb 2012 08:01:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=Pt4QKtYsZCt7PP8YU1bVA AM6u+CDoa1oKyVTQynK/4evVwcOhrzrY4qI4nML4yGb80M4FrtZQL4RedvAWLcBo 36vOVa7G0ffH2rE2Bys7HdKwIHp8LmLzpg0AfalN50R+Rdmzf5TT3AcuG3jYvSvj ICynQDzFEI1W4KFQc6/pws= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=FlJCYV+hcof9yYWuz+GI YUzdtUo=; b=cOeKgF0OqooP96Q34jakWFY/fYn3OWL0KfXM56uUBv0MIhMaziJK NDM2hcB5+6UNjZkrveAQmmgt67CF3aG3/t2TQZYg25FdJUBszo4XyLkLA4KWqSeC qoSg8yVM5MVlPiBV9kLbVFx8L0M4Btfr1zqpp60Sve9jw97/JRjJUro= Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTPSA id 888EE6B007C for ; Thu, 23 Feb 2012 08:01:32 -0800 (PST) Received: by dakl33 with SMTP id l33so1469598dak.31 for ; Thu, 23 Feb 2012 08:01:32 -0800 (PST) Received-SPF: pass (google.com: domain of nico@cryptonector.com designates 10.68.223.167 as permitted sender) client-ip=10.68.223.167; Authentication-Results: mr.google.com; spf=pass (google.com: domain of nico@cryptonector.com designates 10.68.223.167 as permitted sender) smtp.mail=nico@cryptonector.com Received: from mr.google.com ([10.68.223.167]) by 10.68.223.167 with SMTP id qv7mr5569279pbc.139.1330012892262 (num_hops = 1); Thu, 23 Feb 2012 08:01:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.223.167 with SMTP id qv7mr4678007pbc.139.1330012892244; Thu, 23 Feb 2012 08:01:32 -0800 (PST) Received: by 10.68.28.6 with HTTP; Thu, 23 Feb 2012 08:01:32 -0800 (PST) In-Reply-To: <4F465604.2080501@cs.tcd.ie> References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> Date: Thu, 23 Feb 2012 10:01:32 -0600 Message-ID: From: Nico Williams To: Stephen Farrell Content-Type: text/plain; charset=UTF-8 Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2012 16:01:34 -0000 On Thu, Feb 23, 2012 at 9:06 AM, Stephen Farrell wrote: > How many of you would be able to authoritatively say whether > or not some new http authentication technology that might be > produced in a separate http authentication wg would actually > be adopted? (Where "authoritatively say" has the usual > qualifications that we're not discussing specific product > plans etc. etc.) Likelihood of adoption hinges on a lot of things, of which browser adoption is but one critical element. The biggest issue will be how hard it is for websites to adopt the new thing, whatever it is. Site operators will need to deploy new software, change enrollment processes, change verifier handling processes, join federations, perhaps... Maybe we should think outside the box. Maybe we can have trusted third parties issuing (setting) cookies for the sites they trust. Danger, Will Robinson. I know. But given that cookies are what we have... And if we did channel binding of cookies (see Dirk B.'s OBC proposal)... I think it could work. It's not my cup of tea, but... I want a solution that works and gets adopted. Nico -- From hotz@jpl.nasa.gov Thu Feb 23 17:25:32 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CFB621E802A for ; Thu, 23 Feb 2012 17:25:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.543 X-Spam-Level: X-Spam-Status: No, score=-6.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1CVdhaAr3T4 for ; Thu, 23 Feb 2012 17:25:31 -0800 (PST) Received: from mail.jpl.nasa.gov (mailhost.jpl.nasa.gov [128.149.139.106]) by ietfa.amsl.com (Postfix) with ESMTP id E723821E8028 for ; Thu, 23 Feb 2012 17:25:07 -0800 (PST) Received: from dhcp-128-149-190-134.jpl.nasa.gov (dhcp-128-149-190-134.jpl.nasa.gov [128.149.190.134]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id q1O1Oxnc018983 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Thu, 23 Feb 2012 17:25:00 -0800 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Henry B. Hotz" In-Reply-To: Date: Thu, 23 Feb 2012 17:24:59 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> To: Nico Williams X-Mailer: Apple Mail (2.1084) X-Source-IP: dhcp-128-149-190-134.jpl.nasa.gov [128.149.190.134] X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 01:25:32 -0000 To answer Stephen's question: I have no special influence with browser = makers. On Feb 23, 2012, at 8:01 AM, Nico Williams wrote: > Likelihood of adoption hinges on a lot of things, of which browser > adoption is but one critical element. Yes. However I tend to think it's the biggest critical element. = Everyone doing an authentication scheme always starts with the question = of what the browsers will support. =20 Even a custom plug-in appears to be too steep a barrier for most = developers. It doesn't seem to be the development effort per-se, but a = generic concern about being too far from the well-used capabilities. = That said I think a plug-in implementation for the majority of the = browsers, coupled with Apache/IIS support that wasn't too much harder = than TLS server certs to set up might fly. But only *IF* there were a = commitment by more than one browser maker to build it in in the future. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu From cuiyang@huawei.com Thu Feb 23 22:20:48 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C3D21F8855 for ; Thu, 23 Feb 2012 22:20:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EGNgjCkKtS2 for ; Thu, 23 Feb 2012 22:20:46 -0800 (PST) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8A621F8850 for ; Thu, 23 Feb 2012 22:20:45 -0800 (PST) Received: from huawei.com (szxga05-in [172.24.2.49]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LZV00IGVW7JJR@szxga05-in.huawei.com> for http-auth@ietf.org; Fri, 24 Feb 2012 14:18:55 +0800 (CST) Received: from szxrg02-dlp.huawei.com ([172.24.2.119]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LZV00A6PW7DXU@szxga05-in.huawei.com> for http-auth@ietf.org; Fri, 24 Feb 2012 14:18:55 +0800 (CST) Received: from szxeml210-edg.china.huawei.com ([172.24.2.119]) by szxrg02-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AHJ46754; Fri, 24 Feb 2012 14:18:37 +0800 Received: from SZXEML419-HUB.china.huawei.com (10.82.67.158) by szxeml210-edg.china.huawei.com (172.24.2.183) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 24 Feb 2012 14:18:21 +0800 Received: from SZXEML508-MBS.china.huawei.com ([169.254.6.113]) by szxeml419-hub.china.huawei.com ([10.82.67.158]) with mapi id 14.01.0323.003; Fri, 24 Feb 2012 14:18:46 +0800 Date: Fri, 24 Feb 2012 06:18:33 +0000 From: Cui Yang In-reply-to: X-Originating-IP: [10.108.64.159] To: Yoav Nir , Stephen Farrell Message-id: <8CC0CB0BCAE52F46882E17828A9AE21619FCFBD5@SZXEML508-MBS.china.huawei.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-language: zh-CN Content-transfer-encoding: 7BIT Accept-Language: zh-CN, en-US Thread-topic: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) Thread-index: AQHM8ZXoN047tAzktESarqFaJR171ZZKEDoAgAAF5ICAAX3X4A== X-MS-Has-Attach: X-MS-TNEF-Correlator: X-CFilter-Loop: Reflected References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> Cc: "http-auth@ietf.org" Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 06:20:49 -0000 >So in my opinion, if we can get at least some of the browser implementors to do it (Yukata Oiwa's modified Firefox is a start, I guess) then the servers will follow. >Once we get past that, the next hurdle would be to convince web designers to actually use it. But that's for the future, and really depends on how browsers implement it. > >It's all riding on the browsers. +1. It had better focus on browsers in current step. Yang -- Yang Cui, Ph.D. Huawei Technologies, China cuiyang@huawei.com -----Original Message----- From: http-auth-bounces@ietf.org [mailto:http-auth-bounces@ietf.org] On Behalf Of Yoav Nir Sent: Thursday, February 23, 2012 11:28 PM To: Stephen Farrell Cc: http-auth@ietf.org Subject: Re: [http-auth] Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) Hi IMO the drivers here are the web browsers, because UI is the hard issue. If we standardize New Super Cool Authentication for HTTP (or the applications) it would be relatively easy for someone to write mod_nsca for Apache and whatever add-ons are called for IIS. Similarly, modifying wget or CURL to support it should also be a short exercise. Getting it in browsers from mobile phones to big screens in such a way that carefully tailored HTML5 cannot be made to mimic the UX is a far greater challenge. So in my opinion, if we can get at least some of the browser implementors to do it (Yukata Oiwa's modified Firefox is a start, I guess) then the servers will follow. Once we get past that, the next hurdle would be to convince web designers to actually use it. But that's for the future, and really depends on how browsers implement it. It's all riding on the browsers. Yoav On Feb 23, 2012, at 5:06 PM, Stephen Farrell wrote: > > So I've a question for people on this list. > > How many of you would be able to authoritatively say whether > or not some new http authentication technology that might be > produced in a separate http authentication wg would actually > be adopted? (Where "authoritatively say" has the usual > qualifications that we're not discussing specific product > plans etc. etc.) > > I'm not sure myself but am concerned that we not spin up a > security WG the output of which gets more-or-less ignored by > the major vendors/implementers. > > I don't know if that's the case or not, but, assuming that > this list has many of the people who'd work in such a WG, I'd > like to have a better feel for that so's we don't do the > wrong thing. > > I realise that if such a WG were chartered, then new folks > would also come along as well, so this is just looking for > another input, and isn't intended to produce any definitive > answer to anything. > > S > > PS: I guess its possible some people might prefer to answer > this off-list (or partly off-list). If so, maybe mail Peter > and myself and we can summarise back to the list later. > > On 02/22/2012 07:12 PM, Peter Saint-Andre wrote: >> FYI, there is a relevant thread happening on other lists... >> >> -------- Original Message -------- >> Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis >> (httpbis) >> Date: Wed, 22 Feb 2012 10:39:49 -0800 >> From: Paul Hoffman >> To: Stephen Farrell >> CC: Peter Saint-Andre, ietf-http-wg@w3.org, >> The IESG, IETF-Discussion >> >> On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote: >> >>> Regardless of that you do have a fair point that asking >>> apps folks to do stuff that'll please security folks might >>> be asking for trouble:-) >>> >>> However, the counter to that is that security folks doing >>> stuff without enough apps input might produce something that >>> won't get adopted which also doesn't produce the right end >>> result. >>> >>> Anyway, I think this topic, if tackled, won't lack >>> interested participants and will get plenty of security >>> and apps input no matter how we organise it. >> >> >> Peter St.Andre's suggestion of a separate WG to deal specifically with >> HTTP authentication seems like the best way to be sure both sets of >> parties are fully involved. If the IESG charters it within the next few >> months, the HTTP 2.0 work can be informed by any changes (if any) that >> are needed. >> >> --Paul Hoffman >> >> _______________________________________________ >> http-auth mailing list >> http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth >> > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth > > Scanned by Check Point Total Security Gateway. _______________________________________________ http-auth mailing list http-auth@ietf.org https://www.ietf.org/mailman/listinfo/http-auth From hhalpin@w3.org Fri Feb 24 03:43:43 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8FEA21F8677 for ; Fri, 24 Feb 2012 03:43:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.307 X-Spam-Level: X-Spam-Status: No, score=-9.307 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sBHtjFYjV5Q for ; Fri, 24 Feb 2012 03:43:42 -0800 (PST) Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id B744821F8672 for ; Fri, 24 Feb 2012 03:43:42 -0800 (PST) Received: from men75-11-88-175-104-179.fbx.proxad.net ([88.175.104.179] helo=[192.168.1.46]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1S0tYr-0002YH-Dt for http-auth@ietf.org; Fri, 24 Feb 2012 06:43:41 -0500 Message-ID: <4F47781B.4070007@w3.org> Date: Fri, 24 Feb 2012 12:44:27 +0100 From: Harry Halpin User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.26) Gecko/20120131 Lightning/1.0b2 Thunderbird/3.1.18 MIME-Version: 1.0 CC: "http-auth@ietf.org" References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)]] X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 11:43:44 -0000 On 02/24/2012 02:24 AM, Henry B. Hotz wrote: > To answer Stephen's question: I have no special influence with browser makers. > > On Feb 23, 2012, at 8:01 AM, Nico Williams wrote: > >> Likelihood of adoption hinges on a lot of things, of which browser >> adoption is but one critical element. > Yes. However I tend to think it's the biggest critical element. Everyone doing an authentication scheme always starts with the question of what the browsers will support. The W3C has a pretty good track record lately of figuring out what can get in browsers, also would like to see forward movement on Web Authentication in close co-operation with the IETF. Improved authentication was the original point of the Identity in the Browser in the workshop [1], but browser vendors did not see a clear path forward. However, there was clear demand for better JS crypto, so after many iterations, we now have the Web Cryptography Working Group to produce a unified JS API for crypto primitives in the browser [2]. Note that this JS API has agreement to be implemented from all major browser vendors and the WG launches first week of March. However, I consider this work to be a stepping stone to fixing the larger Web authentication and identity problem on the Web. My personal intuition is that some of the capabilities enabled by the Crypto API could be easily combined with work around OAuth flows and possibly BrowserID (now Mozilla Persona [3]) to really help authentication on the Web without the impossible task of standardizing browser UX. Another interesting path discussed heavily at the workshop was co-ordination of authentication with the platform identity managers outside the Web (thus bypassing the DOM problems), but then you have to co-ordinate not only browsers, but operating systems. We have booked a room at IETF Paris to discuss these approaches informaly, and as soon as I know the room/date, I'll forward this out. Perhaps something as closely co-ordinated as the RTCWeb/WebRTC work could come out of this. cheers, harry [1] http://www.w3.org/2011/identity-ws/report.html [2] http://www.w3.org/2011/11/webcryptography-charter.html [3] http://www.h-online.com/open/news/item/Mozilla-revamps-BrowserID-as-Persona-1442304.html > Even a custom plug-in appears to be too steep a barrier for most developers. It doesn't seem to be the development effort per-se, but a generic concern about being too far from the well-used capabilities. That said I think a plug-in implementation for the majority of the browsers, coupled with Apache/IIS support that wasn't too much harder than TLS server certs to set up might fly. But only *IF* there were a commitment by more than one browser maker to build it in in the future. > > ------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth From henry.story@bblfish.net Fri Feb 24 07:14:57 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B77721F87B5 for ; Fri, 24 Feb 2012 07:14:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSqz7p4UBkmY for ; Fri, 24 Feb 2012 07:14:55 -0800 (PST) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 79A3021F87A1 for ; Fri, 24 Feb 2012 07:14:55 -0800 (PST) Received: by wibhm9 with SMTP id hm9so1901357wib.31 for ; Fri, 24 Feb 2012 07:14:54 -0800 (PST) Received-SPF: pass (google.com: domain of henry.story@bblfish.net designates 10.216.137.230 as permitted sender) client-ip=10.216.137.230; Authentication-Results: mr.google.com; spf=pass (google.com: domain of henry.story@bblfish.net designates 10.216.137.230 as permitted sender) smtp.mail=henry.story@bblfish.net Received: from mr.google.com ([10.216.137.230]) by 10.216.137.230 with SMTP id y80mr1456207wei.21.1330096494734 (num_hops = 1); Fri, 24 Feb 2012 07:14:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=7e+M5q14aNOQEElV7fBYTjdl1UBiQrNx3jIp1KZEKVo=; b=fQqdgu5jlcgcdnBeGJVryKJ2Y8kIXT3FUhEQITskuZfztCwj85miCw/EV9qfrhGYcr rBAyBYJdpbv/1bZmby/n7PT1Q7+dSu2AFyvjoBX+O6mJB4h1v1XOFJ7IoDjWHDZFXYYD jyZu7MdutaiVt8uKYdpVLAkH7wFtKkw76QWt4= Received: by 10.216.137.230 with SMTP id y80mr1173273wei.21.1330096494643; Fri, 24 Feb 2012 07:14:54 -0800 (PST) Received: from bblfish.home (ALagny-551-1-7-2.w90-35.abo.wanadoo.fr. [90.35.250.2]) by mx.google.com with ESMTPS id s2sm9773359wix.3.2012.02.24.07.14.51 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 24 Feb 2012 07:14:51 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: Henry Story In-Reply-To: <4F47781B.4070007@w3.org> Date: Fri, 24 Feb 2012 16:14:50 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <97C3C23F-6B12-456D-8034-F2F70CAD45AD@bblfish.net> References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> <4F47781B.4070007@w3.org> To: Harry Halpin X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQms6I85BIoLKUHohYpZp8jR7cx0nI/yQNOhcPufIdSk/gQn1k4UY+7zHFUDUxayLWwmR4vw Cc: "http-auth@ietf.org" Subject: Re: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)]] X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 15:14:57 -0000 On 24 Feb 2012, at 12:44, Harry Halpin wrote: > On 02/24/2012 02:24 AM, Henry B. Hotz wrote: >> To answer Stephen's question: I have no special influence with = browser makers. >>=20 >> On Feb 23, 2012, at 8:01 AM, Nico Williams wrote: >>=20 >>> Likelihood of adoption hinges on a lot of things, of which browser >>> adoption is but one critical element. >> Yes. However I tend to think it's the biggest critical element. = Everyone doing an authentication scheme always starts with the question = of what the browsers will support. >=20 > The W3C has a pretty good track record lately of figuring out what can = get in browsers, also would like to see forward movement on Web = Authentication in close co-operation with the IETF. >=20 > Improved authentication was the original point of the Identity in the = Browser in the workshop [1], but browser vendors did not see a clear = path forward. However, there was clear demand for better JS crypto, so = after many iterations, we now have the Web Cryptography Working Group to = produce a unified JS API for crypto primitives in the browser [2]. Note = that this JS API has agreement to be implemented from all major browser = vendors and the WG launches first week of March. >=20 > However, I consider this work to be a stepping stone to fixing the = larger Web authentication and identity problem on the Web. My personal = intuition is that some of the capabilities enabled by the Crypto API = could be easily combined with work around OAuth flows and possibly = BrowserID (now Mozilla Persona [3]) to really help authentication on the = Web without the impossible task of standardizing browser UX. >=20 > Another interesting path discussed heavily at the workshop was = co-ordination of authentication with the platform identity managers = outside the Web (thus bypassing the DOM problems), but then you have to = co-ordinate not only browsers, but operating systems. >=20 > We have booked a room at IETF Paris to discuss these approaches = informaly, and as soon as I know the room/date, I'll forward this out. = Perhaps something as closely co-ordinated as the RTCWeb/WebRTC work = could come out of this. I live near Paris, and will be here too for the first day, though I have = to go to a EU security conference in Switzerland that week too. Perhaps = this would be a good opportunity to meet people from the group to chat = with, and perhaps to present WebID too, for which the spec is = http://webid.info/spec/ - WebID relies very strongly on TLS and many = IETF standards. Henry >=20 > cheers, > harry >=20 > [1] http://www.w3.org/2011/identity-ws/report.html > [2] http://www.w3.org/2011/11/webcryptography-charter.html > [3] = http://www.h-online.com/open/news/item/Mozilla-revamps-BrowserID-as-Person= a-1442304.html >=20 >> Even a custom plug-in appears to be too steep a barrier for most = developers. It doesn't seem to be the development effort per-se, but a = generic concern about being too far from the well-used capabilities. = That said I think a plug-in implementation for the majority of the = browsers, coupled with Apache/IIS support that wasn't too much harder = than TLS server certs to set up might fly. But only *IF* there were a = commitment by more than one browser maker to build it in in the future. >>=20 >> ------------------------------------------------------ >> The opinions expressed in this message are mine, >> not those of Caltech, JPL, NASA, or the US Government. >> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu >>=20 >> _______________________________________________ >> http-auth mailing list >> http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth >=20 > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth Social Web Architect http://bblfish.net/ From stpeter@stpeter.im Mon Feb 27 16:14:08 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90B921F86D8 for ; Mon, 27 Feb 2012 16:14:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.651 X-Spam-Level: X-Spam-Status: No, score=-102.651 tagged_above=-999 required=5 tests=[AWL=-0.052, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2A75KR19Lbv for ; Mon, 27 Feb 2012 16:14:07 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id E07CC21F86D6 for ; Mon, 27 Feb 2012 16:14:07 -0800 (PST) Received: from squire.local (unknown [64.101.72.114]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id E30F240058; Mon, 27 Feb 2012 17:25:38 -0700 (MST) Message-ID: <4F4C1C4D.8080703@stpeter.im> Date: Mon, 27 Feb 2012 17:14:05 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Henry Story References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> <4F47781B.4070007@w3.org> <97C3C23F-6B12-456D-8034-F2F70CAD45AD@bblfish.net> In-Reply-To: <97C3C23F-6B12-456D-8034-F2F70CAD45AD@bblfish.net> X-Enigmail-Version: 1.3.5 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: "http-auth@ietf.org" Subject: Re: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)]] X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 00:14:09 -0000 On 2/24/12 8:14 AM, Henry Story wrote: > > On 24 Feb 2012, at 12:44, Harry Halpin wrote: > >> On 02/24/2012 02:24 AM, Henry B. Hotz wrote: >>> To answer Stephen's question: I have no special influence with browser makers. >>> >>> On Feb 23, 2012, at 8:01 AM, Nico Williams wrote: >>> >>>> Likelihood of adoption hinges on a lot of things, of which browser >>>> adoption is but one critical element. >>> Yes. However I tend to think it's the biggest critical element. Everyone doing an authentication scheme always starts with the question of what the browsers will support. >> >> The W3C has a pretty good track record lately of figuring out what can get in browsers, also would like to see forward movement on Web Authentication in close co-operation with the IETF. >> >> Improved authentication was the original point of the Identity in the Browser in the workshop [1], but browser vendors did not see a clear path forward. However, there was clear demand for better JS crypto, so after many iterations, we now have the Web Cryptography Working Group to produce a unified JS API for crypto primitives in the browser [2]. Note that this JS API has agreement to be implemented from all major browser vendors and the WG launches first week of March. >> >> However, I consider this work to be a stepping stone to fixing the larger Web authentication and identity problem on the Web. My personal intuition is that some of the capabilities enabled by the Crypto API could be easily combined with work around OAuth flows and possibly BrowserID (now Mozilla Persona [3]) to really help authentication on the Web without the impossible task of standardizing browser UX. >> >> Another interesting path discussed heavily at the workshop was co-ordination of authentication with the platform identity managers outside the Web (thus bypassing the DOM problems), but then you have to co-ordinate not only browsers, but operating systems. >> >> We have booked a room at IETF Paris to discuss these approaches informaly, and as soon as I know the room/date, I'll forward this out. Perhaps something as closely co-ordinated as the RTCWeb/WebRTC work could come out of this. > > I live near Paris, and will be here too for the first day, though I have to go to a EU security conference in Switzerland that week too. Perhaps this would be a good opportunity to meet people from the group to chat with, and perhaps to present WebID too, for which the spec is http://webid.info/spec/ - WebID relies very strongly on TLS and many IETF standards. As you can see, the schedule is quite full: https://datatracker.ietf.org/meeting/83/agenda.html Perhaps a get-together on Sunday evening (March 25) would make sense. Peter -- Peter Saint-Andre https://stpeter.im/ From yutaka-oiwa-aist-temp@g.oiwa.jp Mon Feb 27 23:29:15 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2857621E8017 for ; Mon, 27 Feb 2012 23:29:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fg33cCpUs1uR for ; Mon, 27 Feb 2012 23:29:14 -0800 (PST) Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7962221E800F for ; Mon, 27 Feb 2012 23:29:14 -0800 (PST) Received: by vbbez10 with SMTP id ez10so2012119vbb.31 for ; Mon, 27 Feb 2012 23:29:13 -0800 (PST) Received-SPF: pass (google.com: domain of yutaka-oiwa-aist-temp@g.oiwa.jp designates 10.52.240.177 as permitted sender) client-ip=10.52.240.177; Authentication-Results: mr.google.com; spf=pass (google.com: domain of yutaka-oiwa-aist-temp@g.oiwa.jp designates 10.52.240.177 as permitted sender) smtp.mail=yutaka-oiwa-aist-temp@g.oiwa.jp Received: from mr.google.com ([10.52.240.177]) by 10.52.240.177 with SMTP id wb17mr11208189vdc.63.1330414153813 (num_hops = 1); Mon, 27 Feb 2012 23:29:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.240.177 with SMTP id wb17mr9214461vdc.63.1330414153588; Mon, 27 Feb 2012 23:29:13 -0800 (PST) Sender: yutaka@g.oiwa.jp X-Google-Sender-Delegation: yutaka@g.oiwa.jp Received: by 10.220.47.12 with HTTP; Mon, 27 Feb 2012 23:29:13 -0800 (PST) In-Reply-To: <4F4C1C4D.8080703@stpeter.im> References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> <4F47781B.4070007@w3.org> <97C3C23F-6B12-456D-8034-F2F70CAD45AD@bblfish.net> <4F4C1C4D.8080703@stpeter.im> Date: Tue, 28 Feb 2012 16:29:13 +0900 X-Google-Sender-Auth: 6f63qJR8jF3CDstZoS-ANX_vvv4 Message-ID: From: Yutaka OIWA To: Peter Saint-Andre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQlitltv/92MnIVP3X2iAwwhCgDL5kom/6JEAycPNlXIvTTdbsyG4qSnKg2yRHtuWK+sXJt9 Cc: "http-auth@ietf.org" Subject: Re: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)]] X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 07:29:15 -0000 2012/2/28 Peter Saint-Andre : > > As you can see, the schedule is quite full: > > https://datatracker.ietf.org/meeting/83/agenda.html > > Perhaps a get-together on Sunday evening (March 25) would make sense. I'm really looking forward to see all of you soon. I'm planning to be there from Saturday evening. --=20 Yutaka OIWA, Ph.D. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 Research Scientist =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Research Center for = Information Security (RCIS) =A0 =A0National Institute of Advanced Industrial Science and Technology (AI= ST) =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Mail addresses: , OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D =A03139 8677 9BD2 4405 46= B5] From ynir@checkpoint.com Mon Feb 27 23:49:26 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B2021F84A2 for ; Mon, 27 Feb 2012 23:49:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.456 X-Spam-Level: X-Spam-Status: No, score=-10.456 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmnU-B--MlDB for ; Mon, 27 Feb 2012 23:49:25 -0800 (PST) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0474421F84A1 for ; Mon, 27 Feb 2012 23:49:24 -0800 (PST) X-CheckPoint: {4F4C82A6-0-1B221DC2-1FFFF} Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q1S7n51J028924; Tue, 28 Feb 2012 09:49:13 +0200 Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 28 Feb 2012 09:49:12 +0200 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Tue, 28 Feb 2012 09:49:11 +0200 From: Yoav Nir To: "'Yutaka OIWA'" , Peter Saint-Andre Date: Tue, 28 Feb 2012 09:49:11 +0200 Thread-Topic: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)]] Thread-Index: Acz16rRIf43ILVEeTzyvSYpJ0w3DMAAArDWw Message-ID: <006FEB08D9C6444AB014105C9AEB133F017A753259ED@il-ex01.ad.checkpoint.com> References: <6697C0B0-FE11-45D3-A300-CEF1496D4688@vpnc.org> <4F453E0A.7020308@stpeter.im> <4F465604.2080501@cs.tcd.ie> <4F47781B.4070007@w3.org> <97C3C23F-6B12-456D-8034-F2F70CAD45AD@bblfish.net> <4F4C1C4D.8080703@stpeter.im> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-KSE-AntiSpam-Interceptor-Info: protection disabled Cc: "http-auth@ietf.org" Subject: Re: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)]] X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 07:49:26 -0000 I'll be there from Sunday noon, so Sunday evening works for me.=20 -----Original Message----- From: http-auth-bounces@ietf.org [mailto:http-auth-bounces@ietf.org] On Beh= alf Of Yutaka OIWA Sent: 28 February 2012 09:29 To: Peter Saint-Andre Cc: http-auth@ietf.org Subject: Re: [http-auth] IETF, W3C, and Web Authentication [was W3C and Web= Authentication [was Re: Fwd: Re: WG Review: Recharter of Hypertext Transfe= r Protocol Bis (httpbis)]] 2012/2/28 Peter Saint-Andre : > > As you can see, the schedule is quite full: > > https://datatracker.ietf.org/meeting/83/agenda.html > > Perhaps a get-together on Sunday evening (March 25) would make sense. I'm really looking forward to see all of you soon. I'm planning to be there from Saturday evening.