From stpeter@stpeter.im Fri Mar 2 08:57:34 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D877721F86C2 for ; Fri, 2 Mar 2012 08:57:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.464 X-Spam-Level: X-Spam-Status: No, score=-102.464 tagged_above=-999 required=5 tests=[AWL=-0.465, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ep8HKinnZal2 for ; Fri, 2 Mar 2012 08:57:34 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 2FB8B21F86A2 for ; Fri, 2 Mar 2012 08:57:34 -0800 (PST) Received: from squire.local (unknown [64.101.72.114]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4A4A940058; Fri, 2 Mar 2012 10:09:17 -0700 (MST) Message-ID: <4F50FBFC.4000800@stpeter.im> Date: Fri, 02 Mar 2012 09:57:32 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "ietf-http-wg@w3.org Group" , "http-auth@ietf.org" X-Enigmail-Version: 1.3.5 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [http-auth] RFC 2617 erratum on DIGEST auth X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2012 16:57:35 -0000 Dear HTTP folks, I'd appreciate guidance regarding the processing of Erratum #1649, filed against RFC 2617 over three years ago. In accordance with http://www.ietf.org/iesg/statement/errata-processing.html do people think this is a valid erratum, or is further discussion needed? ### Errata ID: 1649 Status: Reported Type: Technical Reported By: Ganga Mahesh Siddem Date Reported: 2009-01-08 Edited by: Alexey Melnikov Date Edited: 2010-07-07 Section 5 says: /* calculate H(A1) as per spec */ void DigestCalcHA1( IN char * pszAlg, IN char * pszUserName, IN char * pszRealm, IN char * pszPassword, IN char * pszNonce, IN char * pszCNonce, OUT HASHHEX SessionKey ) { MD5_CTX Md5Ctx; HASH HA1; MD5Init(&Md5Ctx); MD5Update(&Md5Ctx, pszUserName, strlen(pszUserName)); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszRealm, strlen(pszRealm)); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszPassword, strlen(pszPassword)); MD5Final(HA1, &Md5Ctx); if (stricmp(pszAlg, "md5-sess") == 0) { MD5Init(&Md5Ctx); | MD5Update(&Md5Ctx, HA1, HASHLEN); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); MD5Final(HA1, &Md5Ctx); }; CvtHex(HA1, SessionKey); }; It should say: /* calculate H(A1) as per spec */ void DigestCalcHA1( IN char * pszAlg, IN char * pszUserName, IN char * pszRealm, IN char * pszPassword, IN char * pszNonce, IN char * pszCNonce, OUT HASHHEX SessionKey ) { MD5_CTX Md5Ctx; HASH HA1; | HASHHEX HA1Hex; MD5Init(&Md5Ctx); MD5Update(&Md5Ctx, pszUserName, strlen(pszUserName)); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszRealm, strlen(pszRealm)); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszPassword, strlen(pszPassword)); MD5Final(HA1, &Md5Ctx); if (stricmp(pszAlg, "md5-sess") == 0) { | CvtHex(HA1, HA1Hex); MD5Init(&Md5Ctx); | MD5Update(&Md5Ctx, HA1Hex, HASHHEXLEN); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); MD5Update(&Md5Ctx, ":", 1); MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); MD5Final(HA1, &Md5Ctx); }; CvtHex(HA1, SessionKey); }; Notes: DigestCalcHA1 sample implemention has to be corrected. ### Thanks! Peter -- Peter Saint-Andre https://stpeter.im/ From henrik@henriknordstrom.net Fri Mar 2 12:09:40 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B9521F8517 for ; Fri, 2 Mar 2012 12:09:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AC+nW7kbLjKx for ; Fri, 2 Mar 2012 12:09:39 -0800 (PST) Received: from vps1.henriknordstrom.net (vps1.henriknordstrom.net [IPv6:2a02:750:7::d0a]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3FB21F8512 for ; Fri, 2 Mar 2012 12:09:39 -0800 (PST) Received: from home.hno.se (home.hno.se [IPv6:2001:470:df90::1]) (authenticated bits=128) by vps1.henriknordstrom.net (8.14.2/8.14.2/Debian-2build1) with ESMTP id q22K9ZDp016325; Fri, 2 Mar 2012 20:09:37 GMT Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by home.hno.se (8.14.5/8.14.5) with ESMTP id q22K9WbO009454; Fri, 2 Mar 2012 21:09:32 +0100 Message-ID: <1330718972.1807.83.camel@home.hno.se> From: Henrik =?ISO-8859-1?Q?Nordstr=F6m?= To: Peter Saint-Andre Date: Fri, 02 Mar 2012 21:09:32 +0100 In-Reply-To: <4F50FBFC.4000800@stpeter.im> References: <4F50FBFC.4000800@stpeter.im> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3 (3.2.3-1.fc16) Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (vps1.henriknordstrom.net [IPv6:2a02:750:7::d0a]); Fri, 02 Mar 2012 20:09:37 +0000 (UTC) X-Mailman-Approved-At: Fri, 02 Mar 2012 13:03:45 -0800 Cc: "http-auth@ietf.org" , "ietf-http-wg@w3.org Group" Subject: Re: [http-auth] RFC 2617 erratum on DIGEST auth X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2012 20:09:40 -0000 fre 2012-03-02 klockan 09:57 -0700 skrev Peter Saint-Andre: > Dear HTTP folks, > > I'd appreciate guidance regarding the processing of Erratum #1649, filed > against RFC 2617 over three years ago. In accordance with > http://www.ietf.org/iesg/statement/errata-processing.html do people > think this is a valid erratum, or is further discussion needed? It's valid. All MD5 hashes in Digest is in their hex-ascii representation form (3.1.3). So H(data) = MD5(data) MD5-sess A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value) Gives that the initial hashed part is the 32-character hex MD5 hash H( unq(username-value) ":" unq(realm-value) ":" passwd ) Note that the example is in general very poor at demonstrating MD5-sess usage and I would expect many to get the cnonce wrong from looking at this example code. The code looks innocently capable of MD5-sess when it in fact is only showing normal MD5 usage. And it does not help that the code calculates H(A1) directly where the text describing the difference beteen MD5 and MD5-sess is only looking at A1. Regards Henrik From stpeter@stpeter.im Tue Mar 6 11:34:46 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FBDB21F84DC for ; Tue, 6 Mar 2012 11:34:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.618 X-Spam-Level: X-Spam-Status: No, score=-102.618 tagged_above=-999 required=5 tests=[AWL=-0.319, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Truw49tt4Qug for ; Tue, 6 Mar 2012 11:34:45 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id DC2DF21F8429 for ; Tue, 6 Mar 2012 11:34:44 -0800 (PST) Received: from dhcp-64-101-72-162.cisco.com (unknown [64.101.72.162]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 51F5E4005B; Tue, 6 Mar 2012 12:46:41 -0700 (MST) Message-ID: <4F5666D3.4010505@stpeter.im> Date: Tue, 06 Mar 2012 12:34:43 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: =?UTF-8?B?SGVucmlrIE5vcmRzdHLDtm0=?= References: <4F50FBFC.4000800@stpeter.im> <1330718972.1807.83.camel@home.hno.se> In-Reply-To: <1330718972.1807.83.camel@home.hno.se> X-Enigmail-Version: 1.3.5 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: "http-auth@ietf.org" , "ietf-http-wg@w3.org Group" Subject: Re: [http-auth] RFC 2617 erratum on DIGEST auth X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2012 19:34:46 -0000 On 3/2/12 1:09 PM, Henrik Nordström wrote: > fre 2012-03-02 klockan 09:57 -0700 skrev Peter Saint-Andre: >> Dear HTTP folks, >> >> I'd appreciate guidance regarding the processing of Erratum #1649, filed >> against RFC 2617 over three years ago. In accordance with >> http://www.ietf.org/iesg/statement/errata-processing.html do people >> think this is a valid erratum, or is further discussion needed? > > It's valid. Thanks for checking. > All MD5 hashes in Digest is in their hex-ascii representation form > (3.1.3). So > > H(data) = MD5(data) > > MD5-sess A1 = H( unq(username-value) ":" unq(realm-value) > ":" passwd ) > ":" unq(nonce-value) ":" unq(cnonce-value) > > Gives that the initial hashed part is the 32-character hex MD5 hash > H( unq(username-value) ":" unq(realm-value) ":" passwd ) > > Note that the example is in general very poor at demonstrating MD5-sess > usage and I would expect many to get the cnonce wrong from looking at > this example code. The code looks innocently capable of MD5-sess when it > in fact is only showing normal MD5 usage. And it does not help that the > code calculates H(A1) directly where the text describing the difference > beteen MD5 and MD5-sess is only looking at A1. Yes, there are lots of interoperability problems with DIGEST auth, and the seemingly poor documentation in RFC 2617 (and, separately, RFC 2831 for SASL) certainly doesn't help. Peter -- Peter Saint-Andre https://stpeter.im/ From hhalpin@w3.org Mon Mar 19 15:03:05 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1391321F8702 for ; Mon, 19 Mar 2012 15:03:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.299 X-Spam-Level: X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKCvRRgkDk6m for ; Mon, 19 Mar 2012 15:03:04 -0700 (PDT) Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id 6033921F86F6 for ; Mon, 19 Mar 2012 15:03:03 -0700 (PDT) Received: from seattle207.riseup.net ([198.252.153.207] helo=[172.27.0.15]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1S9kfO-0006gb-Sv; Mon, 19 Mar 2012 18:03:03 -0400 Message-ID: <4F67AD46.6040703@w3.org> Date: Mon, 19 Mar 2012 23:03:50 +0100 From: Harry Halpin User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.27) Gecko/20120216 Lightning/1.0b2 Thunderbird/3.1.19 MIME-Version: 1.0 To: "http-auth@ietf.org" , "public-identity@w3.org" , dev-identity@lists.mozilla.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [http-auth] Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83 X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 22:03:05 -0000 Not sure how many people are making it to IETF83, but W3C is hosting an onsite meeting on Thursday to discuss OAuth, BrowserID, OpenID, and the upcoming W3C Web Cryptography Working Group. Everyone is invited! ==Beyond HTTP Authentication: OAuth, OpenID, and BrowserID== =Time and Location= Thursday lunchtime (1130 to 1300) in room 252A just between the SCIM BoF and OAuth WG as part of IETF83 in Paris. = Problem Statement= While OAuth has solved the authorization problem, currently authentication on the Web is still insecure as it has yet for the most part failed to go beyond user-names and passwords. However, at this point a number of new client-side capabilities, including the possibility of W3C standardized Javascript cryptographic primitives, are emerging and a number of specifications such as OpenID Connect, BrowserID, and discussions over the future of HTTP Auth have shown that there is interest in understanding better how client-side key material can be used to enable a more secure Web authentication. However, there has yet to be consensus on how client-side cryptography can enable higher-security OAuth flows. The purpose of this side meeting is to look at a more coherent picture of how technologies in the space of identity, authentication, and authorization combine and interact and to help frame future work in Web authentication. This informal meeting will present a number of proposed technical proposals in brief, including relationships to other existing work (such as RTCWeb and the upcoming W3C Web Cryptography Working Group), and to help frame future work in the area.and then precede with open discussion. For any questions, please contact Harry Halpin (hhalpin@w3.org) =Schedule:= 11:30-11:45 Lightning presentations to "level-set" participants. Mike Jones (Microsoft) will present the latest work from JOSE and OpenID Connect Eric Rescorla (Mozilla hat on) will present Mozilla Persona and RTCWeb/WebRTC work Blaine Cook will present OAuth 2.0 Harry Halpin (W3C) will present the upcoming W3C Web Cryptography API. 11:45-13:00 Open discussion on co-ordination between OAuth, HTTP Auth, OpenID Connect, BrowserID, and W3C. From stephen.farrell@cs.tcd.ie Tue Mar 20 04:59:32 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6E121F8652 for ; Tue, 20 Mar 2012 04:59:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.299 X-Spam-Level: X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9+CAcA8Ay7w for ; Tue, 20 Mar 2012 04:59:32 -0700 (PDT) Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id DDE0221F8649 for ; Tue, 20 Mar 2012 04:59:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 07EE9171CAE for ; Tue, 20 Mar 2012 11:59:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1332244770; bh=u8AUSOOWAnrq2l KxkqBqrBHYrUQoOVH7MLQ+zkuUOXc=; b=5CSpFayiVDlPl2BOYZr0znC+/4/Fx1 osDJK29PZ7OcbrRVgdMsVW5DKL5zP29Lw2PUN+QmZ3dWKBemNET70Z6410Qx9ata 2fzLmla6ZRvw7r+h9pmY0Qi0dybbOReBRiwiahMZCgI3WGMC8Ama5n/6ylwvzhyb CnMIXATdu/UDjJ37Xh8yUXXBLJxDC8mY4J931VICTt6k9i2/aQ+BGXLNnEfOhHEd 6kWBqW/oQ/jJMpIWMyMTRnLFTb70qnu1BWoClkRcJmm6Za99fj2vDNeecoKf/YG+ mmTT7INQJKw5v+xd+kd12NZDJUmgG39uvs7VT9zJDiFxPV1ydu7WkU/g== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id L7suQqHa2z96 for ; Tue, 20 Mar 2012 11:59:30 +0000 (GMT) Received: from [10.87.48.7] (unknown [86.42.22.31]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 5C2BB171CA9 for ; Tue, 20 Mar 2012 11:59:30 +0000 (GMT) Message-ID: <4F687120.1020005@cs.tcd.ie> Date: Tue, 20 Mar 2012 11:59:28 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "http-auth@ietf.org" References: <4F67AD46.6040703@w3.org> In-Reply-To: <4F67AD46.6040703@w3.org> X-Forwarded-Message-Id: <4F67AD46.6040703@w3.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [http-auth] two things (was: Fwd: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83) X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2012 11:59:33 -0000 Two things, 1) see below, there's a w3c session on in Paris that might be of interest to folks here. And while going beyond http auth might be a lovely thing, better http auth is still of interest to me at least:-) 2) HTTPbis has been re-chartered now and its charter [1] now envisages folks proposing new http authentication schemes for http/2.0. I would hope that those who've been talking about this here will polish up their internet-drafts and propose them to httpbis in the next short while. httpbis plan to select zero or more of those in the next ~6 months. If there are schemes proposed that are not adopted by httpbis but that seem to be worth pursuing as experimental RFCs then I'll be willing to look at starting a security working group to handle those. BUT, I'll be against chartering stuff for that putative group where that stuff was not proposed to httpbis first, so if you think your ideas in this space are worthwhile, please do propose them to httpbis as soon as your internet-draft is up to date. Cheers, S. [1] http://tools.ietf.org/wg/httpbis/charters -------- Original Message -------- Subject: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83 Resent-Date: Mon, 19 Mar 2012 22:03:06 +0000 Resent-From: public-identity@w3.org Date: Mon, 19 Mar 2012 23:03:50 +0100 From: Harry Halpin To: http-auth@ietf.org , public-identity@w3.org , dev-identity@lists.mozilla.org Not sure how many people are making it to IETF83, but W3C is hosting an onsite meeting on Thursday to discuss OAuth, BrowserID, OpenID, and the upcoming W3C Web Cryptography Working Group. Everyone is invited! ==Beyond HTTP Authentication: OAuth, OpenID, and BrowserID== =Time and Location= Thursday lunchtime (1130 to 1300) in room 252A just between the SCIM BoF and OAuth WG as part of IETF83 in Paris. = Problem Statement= While OAuth has solved the authorization problem, currently authentication on the Web is still insecure as it has yet for the most part failed to go beyond user-names and passwords. However, at this point a number of new client-side capabilities, including the possibility of W3C standardized Javascript cryptographic primitives, are emerging and a number of specifications such as OpenID Connect, BrowserID, and discussions over the future of HTTP Auth have shown that there is interest in understanding better how client-side key material can be used to enable a more secure Web authentication. However, there has yet to be consensus on how client-side cryptography can enable higher-security OAuth flows. The purpose of this side meeting is to look at a more coherent picture of how technologies in the space of identity, authentication, and authorization combine and interact and to help frame future work in Web authentication. This informal meeting will present a number of proposed technical proposals in brief, including relationships to other existing work (such as RTCWeb and the upcoming W3C Web Cryptography Working Group), and to help frame future work in the area.and then precede with open discussion. For any questions, please contact Harry Halpin (hhalpin@w3.org) =Schedule:= 11:30-11:45 Lightning presentations to "level-set" participants. Mike Jones (Microsoft) will present the latest work from JOSE and OpenID Connect Eric Rescorla (Mozilla hat on) will present Mozilla Persona and RTCWeb/WebRTC work Blaine Cook will present OAuth 2.0 Harry Halpin (W3C) will present the upcoming W3C Web Cryptography API. 11:45-13:00 Open discussion on co-ordination between OAuth, HTTP Auth, OpenID Connect, BrowserID, and W3C. From fcorella@pomcor.com Mon Mar 19 20:40:04 2012 Return-Path: X-Original-To: http-auth@ietfa.amsl.com Delivered-To: http-auth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2785E21F8877 for ; Mon, 19 Mar 2012 20:40:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.24 X-Spam-Level: X-Spam-Status: No, score=-1.24 tagged_above=-999 required=5 tests=[AWL=0.758, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_43=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FN+qhDGEYvEb for ; Mon, 19 Mar 2012 20:40:03 -0700 (PDT) Received: from nm4.bullet.mail.ne1.yahoo.com (nm4.bullet.mail.ne1.yahoo.com [98.138.90.67]) by ietfa.amsl.com (Postfix) with SMTP id 486BD21F884F for ; Mon, 19 Mar 2012 20:40:02 -0700 (PDT) Received: from [98.138.90.53] by nm4.bullet.mail.ne1.yahoo.com with NNFMP; 20 Mar 2012 03:39:59 -0000 Received: from [98.138.87.3] by tm6.bullet.mail.ne1.yahoo.com with NNFMP; 20 Mar 2012 03:39:59 -0000 Received: from [127.0.0.1] by omp1003.mail.ne1.yahoo.com with NNFMP; 20 Mar 2012 03:39:59 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 723038.35384.bm@omp1003.mail.ne1.yahoo.com Received: (qmail 42113 invoked by uid 60001); 20 Mar 2012 03:33:19 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1332214399; bh=mIqB3WyxjeOCGIU/6qHeMD9eC15P++G7T8RQkT4ICa8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=U3tY2LUAwbZcgEoSBEZbBUBCoSYwoqhIK0wUcv/dxvFF1vGi0wZcpu/9sF7K7JtS6S4jBOqviYcDBI5N+AEZ3HAdRECPwWnvKn0Ek+pxACdGsmNgWzaxw9vInE63/anhEOKrnObKGQ96LXMItzJBfyD/XugFl56KBCjCfLkNQlo= X-YMail-OSG: YqpUxFUVM1lm8K96KUR5Qza50kBhLWhLWv25LkI6JOZlVMX fjA1aD62nf128PtvEpxbuTNHVTumCQwBkbsSV0PoPYJ.r7ng7hFgxmP2W9QC .DX9vmkmGcfZVB_d9DJOGSnhjyMI0W2OEgUoOptj.CtWYOUFTj1Zk_ZxN_6y sSktrQciGSVZ6bTFyW4tx4s.j4JNHiV_HyO4zo17n4XZm1M5f111E_x3U0ji xHHYlUm4jV07FS5yAiS7_jxGdtuRSrg2.2HSEPg02HbkexN51Svg7aVnGh6t gJFBHQXASj4N_UVLE84nB46tQdR0tHPLDXG6o26lC_lfucHS1GvaKH7xY1Tk yjGbZ92Lw3BLUTzsgBQu3G84IacQPoNHGqQP9dL74DItPxCxpQ73EqnMBiH9 PIMHYpkVhLZeRNtH3sgClA1Y1VGKc4Wf6Pxdv2z06WlrL6W6YLxc_Q44Crnu zvCM1pi6jQc0FrFFTUb7W6lwjWGYq1CcMhaVICJc- Received: from [174.65.117.33] by web125502.mail.ne1.yahoo.com via HTTP; Mon, 19 Mar 2012 20:33:18 PDT X-RocketYMMF: francisco_corella X-Mailer: YahooMailWebService/0.8.117.340979 References: <4F67AD46.6040703@w3.org> Message-ID: <1332214398.39729.YahooMailNeo@web125502.mail.ne1.yahoo.com> Date: Mon, 19 Mar 2012 20:33:18 -0700 (PDT) From: Francisco Corella To: Harry Halpin , "http-auth@ietf.org" , "public-identity@w3.org" , "dev-identity@lists.mozilla.org" In-Reply-To: <4F67AD46.6040703@w3.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1546730761-732554488-1332214398=:39729" X-Mailman-Approved-At: Wed, 21 Mar 2012 07:24:15 -0700 Cc: Karen Lewison Subject: Re: [http-auth] Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83 X-BeenThere: http-auth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Francisco Corella List-Id: HTTP authentication methods List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2012 03:40:04 -0000 ---1546730761-732554488-1332214398=:39729 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Harry,=0A=0AAre you still planning on organizing a workshop on the use of c= ertificates for user authentication on the Web?=A0 You've said a couple of = times that you wanted to have one this spring.=0A=0AFrancisco=0A=0A=0A=0A= =0A>________________________________=0A> From: Harry Halpin =0A>To: "http-auth@ietf.org" ; "public-identity@w3.org= " ; dev-identity@lists.mozilla.org =0A>Sent: Monday= , March 19, 2012 3:03 PM=0A>Subject: Beyond HTTP Authentication: OAuth, Ope= nID, and BrowserID: Meeting on March 29th at IETF83=0A> =0A>Not sure how m= any people are making it to IETF83, but W3C is hosting an onsite meeting on= Thursday to discuss OAuth, BrowserID, OpenID, and the upcoming W3C Web Cry= ptography Working Group. Everyone is invited!=0A>=0A>=3D=3DBeyond HTTP Auth= entication: OAuth, OpenID, and BrowserID=3D=3D=0A>=0A>=3DTime and Location= =3D=0A>=0A>Thursday lunchtime (1130 to 1300) in room 252A just between the = SCIM BoF and OAuth WG as part of IETF83 in Paris.=0A>=0A>=3D Problem Statem= ent=3D=0A>=0A>While OAuth has solved the authorization problem, currently a= uthentication on the Web is still insecure as it has yet for the most part = failed to go beyond user-names and passwords. However, at this point a numb= er of new client-side capabilities, including the possibility of W3C standa= rdized Javascript cryptographic primitives, are emerging and a number of sp= ecifications such as OpenID Connect, BrowserID, and discussions over the fu= ture of HTTP Auth have shown that there is interest in understanding better= how client-side key material can be used to enable a more secure Web authe= ntication. However, there has yet to be consensus on how client-side crypto= graphy can enable higher-security OAuth flows. The purpose of this side mee= ting is to look at a more coherent picture of how technologies in the space= of identity, authentication, and authorization combine and interact and to= help frame future work in Web authentication.=0A>=0A>This informal meeting= will present a number of proposed technical proposals in brief, including = relationships to other existing work (such as RTCWeb and the upcoming W3C W= eb Cryptography Working Group), and to help frame future work in the area.a= nd then precede with open discussion.=0A>=0A>For any questions, please cont= act Harry Halpin (hhalpin@w3.org)=0A>=0A>=3DSchedule:=3D=0A>=0A>11:30-11:45= Lightning presentations to "level-set" participants.=0A>=0A>Mike Jones (Mi= crosoft) will present the latest work from JOSE and OpenID Connect=0A>Eric = Rescorla (Mozilla hat on) will present Mozilla Persona and RTCWeb/WebRTC wo= rk=0A>Blaine Cook will present OAuth 2.0=0A>Harry Halpin (W3C) will present= the upcoming W3C Web Cryptography API.=0A>=0A>11:45-13:00 Open discussion = on co-ordination between OAuth, HTTP Auth, OpenID Connect, BrowserID, and W= 3C.=0A>=0A>=0A>=0A> ---1546730761-732554488-1332214398=:39729 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Harry,

Are you= still planning on organizing a workshop on the use of certificates for use= r authentication on the Web?  You've said a couple of times that you w= anted to have one this spring.

Francisco

From: Harry Halpin <hhalpin@w3.org>
To: "http-auth@ietf.org" <http-au= th@ietf.org>; "public-identity@w3.org" <public-identity@w3.org>; dev-identity@lists.mozilla.org
= Sent: Monday, March 19, 2012 3:03 PM
Subject: Beyond HTTP Authentication: OAuth, OpenI= D, and BrowserID: Meeting on March 29th at IETF83

= =0ANot sure how many people are making it to IETF83, but W3C is hosting an = onsite meeting on Thursday to discuss OAuth, BrowserID, OpenID, and the upc= oming W3C Web Cryptography Working Group. Everyone is invited!

=3D= =3DBeyond HTTP Authentication: OAuth, OpenID, and BrowserID=3D=3D

= =3DTime and Location=3D

Thursday lunchtime (1130 to 1300) in room 25= 2A just between the SCIM BoF and OAuth WG as part of IETF83 in Paris.
=3D Problem Statement=3D

While OAuth has solved the authorization = problem, currently authentication on the Web is still insecure as it has ye= t for the most part failed to go beyond user-names and passwords. However, = at this point a number of new client-side capabilities, including the possi= bility of W3C standardized Javascript cryptographic primitives, are emergin= g and a number of specifications such as OpenID Connect, BrowserID, and dis= cussions over the future of HTTP Auth have shown that there is interest in = understanding better how client-side key material can be used to enable a more secure We= b authentication. However, there has yet to be consensus on how client-side= cryptography can enable higher-security OAuth flows. The purpose of this s= ide meeting is to look at a more coherent picture of how technologies in th= e space of identity, authentication, and authorization combine and interact= and to help frame future work in Web authentication.

This informal = meeting will present a number of proposed technical proposals in brief, inc= luding relationships to other existing work (such as RTCWeb and the upcomin= g W3C Web Cryptography Working Group), and to help frame future work in the= area.and then precede with open discussion.

For any questions, plea= se contact Harry Halpin (hhalpin@w3.org)

=3DSchedule:=3D

11:30-1= 1:45 Lightning presentations to "level-set" participants.

Mike Jones (Microsoft) will present the latest work from JOSE and OpenID Connect
E= ric Rescorla (Mozilla hat on) will present Mozilla Persona and RTCWeb/WebRT= C work
Blaine Cook will present OAuth 2.0
Harry Halpin (W3C) will pre= sent the upcoming W3C Web Cryptography API.

11:45-13:00 Open discuss= ion on co-ordination between OAuth, HTTP Auth, OpenID Connect, BrowserID, a= nd W3C.



---1546730761-732554488-1332214398=:39729--