Ira McDonald blueroofmusic at gmail.com
Wed Mar 5 16:20:12 UTC 2014


A variety of updates to HTTP Basic and Digest (RFC 2617), including
UTF-8 and also four new HTTP-layer authentication mechanisms.

 - Ira

---------- Forwarded message ----------
From: Matthew Lepinski <mlepinski.ietf at gmail.com>
Date: Wed, Mar 5, 2014 at 8:35 AM
Subject: [saag] HTTPAUTH @ IETF 89
To: saag at ietf.org
Cc: Yoav Nir <ynir.ietf at gmail.com>

HTTPAUTH met on Monday at IETF 89.

The working group is preparing an update to Basic and Digest
authentication. These documents will obsolete RFC 2617. The primary goal of
this work is to support non-ASCII (i.e., UTF-8) characters in usernames
(and passwords), and to provide hash-function agility for Digest
authentication. Work on these documents is progressing well, and we expect
to have a working group last call on Digest-bis (and perhaps even both
documents) before Toronto in July.

In addition to updating Basic and Digest authentication, the group is
working on four experimental drafts that specify brand new HTTP-layer
authentication mechanisms that have security properties that cannot be
obtained via Basic or Digest authentication.

At IETF 89 we had focused discussion on issues in the SCRAM (Salted
Challenge Response Authentication Mechanism)
[draft-ietf-httpauth-scram-auth]. The group is also working on the
following experimental mechanisms (which were discussed only briefly at
IETF 89):
-- Draft-ietf-http-mutual (a password authenticated key exchange)
-- Draft-ietf-http-hoba (origin-bound authentication for HTTP)
-- Draft-ietf-http-rest-auth (restful authentication pattern for HTTP)

The four experimental documents in the working group have not received
sufficient review. If you believe that is valuable for the IETF to specify
something better than Basic/Digest for HTTP-layer authentication, then
please read one of the above documents and provide feedback on our list.

If we can get sufficient review on (at least some) of these documents, then
we will publish experimental RFCs -- implementation experience with which
would hopefully inform future standards track work on improved HTTP-layer
authentication. If we do not get sufficient review of these documents, then
we will declare victory after publishing updates to Basic and Digest and
close the group.

saag mailing list
saag at ietf.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20140305/6f3e36bc/attachment.html>

More information about the ipp mailing list