So, from the conversation so far, these are the
architectural/protocol issues I think need discussing at the BOF:
- Discussion of the scope and number of the mechanisms. There seem to
be desires for (1) the ability for the user to identify to the server
(probably authenticating, preventing phishing as much as possible),
(2) the ability to transfer user attributes to the server, (3) the
ability to store user attributes remotely, and (4) the ability for a
3rd-party to warrant user attribute claims.
- Discussion of the pros and cons of mechanisms that involve changes
to the user agent versus mechanisms which rely on a separate identity
server to do all of the work without changing the user agent (e.g.,
DIX).
- Discussion of the types of authentication mechanisms to be used.
(I read Ben as saying it should be a general mechanism not tied to
HTTP, Eliot and Terry as saying that the underlying mechanism should
be common but that there should be HTTP-specific protocol, and John
as having no interest in solving that particular problem. :-) )
I don't think these discussions need to be spurred by presentations.
Most of this is going to be a high-level discussion and should
definitely not reference any particular mechanism. (If logistics
permit, I'd like to do a "pass the mic" format instead of standing in
a queue at the mics, and I will do floor control.) With that in mind,
here's what I have in mind for a meeting agenda:
(Pre-meeting: Find minutes and jabber people - volunteers NOW would
be useful!!)
- Start passing blue sheets, Agenda bash - 2 minutes
- What problems are we trying to solve? - 1 hour
- Discuss what sort of authentication/identification from user to
server is desired
- Anti-phishing discussion here
- Discuss what sort of attribute info from user to server is desired
- Discuss whether remote storage of attributes is desired
- Discuss whether 3rd-party claims are desired
- What sorts of mechanisms should we use? - 1 hour
- Discuss downsides of using current web auth mechanisms (i.e.,
user-agent changes)
- Discuss downsides of using mechanisms that include no user-agent changes
- Discuss authentication mechanism in light of above discussions
- What work items do we have? - 28 minutes
- Enumerate work items
- Enumerate documents (if different than above)
- Enumerate editors
- End
I have posted this for the agenda web page, but we can always make changes.
pr
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
