[ietf-http-auth] HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?
y.oiwa at aist.go.jp
Thu Dec 24 03:28:46 PST 2009
Dear people on IETF apps-discuss/public-web-security mailing lists
and other related lists,
I would like to introduce our proposal on HTTP mutual authentication.
(I directed the Reply-to: header to the newly-created
public-web-security mailing list, but I also welcome private replies
or those to other lists.)
Our proposal brings a strong, password-based mutual authentication
to the HTTP authentication protocol.
Our aims are to overcome several deficiencies (both for security and usability)
on current HTTP authentication mechanisms, and to replace weak form-based
authentication, which are used in most current Web apps, with
stronger HTTP protocol-supported authentications.
We designed the protocol so that (a) it removes any threats related to
password/secret stealing like phishing or other attacks, (b) it will be
extremely easy-to-use, and (c) it can accept many Web applications
which were not well-supported with current HTTP authentication
architecture (in RFC 2617).
We believe that this is a correct direction for the future of
the Web application authentication.
Our proposed draft spec is available from
We put a preprint paper on our concept at ArXiv
and a presentation in a past httpbis WG is also available from
I appreciate your reading and comments on those documents.
Furthermore, we have published a running code of the protocol
implementation for Mozilla Firefox, available from
A pre-compiled binary, server-side implementations and running demonstration
are available in our website
I noticed that the registration for IETF 77 at Anaheim is now open.
I would like to have a meet-up of people related to general HTTP
authentication issues/proposals at Anaheim.
I have been told from Lisa that there will be several HTTP-related
WGs and BoFs expected in Anaheim, and I think there will be a good
opportunity for us to meet up. If you have any good ideas, please let me know.
Have nice holidays, register for IETF 77 and see you in Anaheim!
Yutaka OIWA, Ph.D. Research Scientist
Research Center for Information Security (RCIS)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa at aist.go.jp>, <yutaka at oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
More information about the ietf-http-auth