Overdue time to send these in. Please make a last check before I send
them and YELL QUICKLY if there are issues. I've incorporated Eliot's
notes into Dick's and cleaned up a bit.
----
Web Authentication Enhancement BOF (WAE)
FRIDAY, July 14, 2006
0900-1130 Morning Session I
Room 519A
Chair: Pete Resnick
Minutes: Dick Hardt
(Additional Notes: Eliot Lear)
The meeting started off with the usual agenda review. Agenda was
accepted as proposed.
The first item was Terminology.
Reading assignment: read RFC 2828
Internet Security Glossary
http://www.ietf.org/rfc/rfc2828.txt
Other Glossaries mentioned:
Internet Security Glossary, Version 2
http://www.ietf.org/internet-drafts/draft-shirey-secgloss-v2-04.txt
SAMLv2: Glossary
http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf
"identity gang" lexicon
http://identitygang.org/Lexicon
The next item was Problems we want to solve (see agenda)
A few things were added:
- whitelisting
- claim minimality
- proof of server identity
Sam Hartman made his presentation, there were a few questions.
There was then additional discussion on Problems we want to solve.
Additional problems
non-browsing HTTP support
support for existing infrastructure
Cross Application Credential (XAC)
There was a general concern that we could end up boiling the ocean.
Grouping of problems was then started.
Dick Hardt's slide was presented.
Ekr initially proposed grouping the problem up as:
EKR1: Non-insane replacement for HTTP digest
- anti-phishing
- passwords and other
EKR2: Cross-site identity
- "Eliot's dad problem" (easily identify yourself to multiple
sites), SSO
EKR3: Claim & Attribute Transferral
More detailed discussion on each problem then ensued:
EKR1: Fix HTTP Auth
AD questions to audience concluded with:
- Liaise w/ W3C on GUI
- Liaise w/ APWG
- Layer / Arch TBD
- can stand alone, but coordinate w/ EKR2 and EKR3
EKR1 does not require EKR2
EKR2: Cross-site identifier
(Eliot's dad problem was broken off to be EKR4)
- raw assertions of identity are easier to trust than attributes
- name subordination
- existing technology, but glue work
Question: Is there glue work to be done by the IETF?
- no one thinks there is no glue work, 15
think there is, 15 are not sure
12 ok on work if EKR1 not happening,
EKR3: Claim & Attribute Transferral
- existing claims and syntaxes may be used
- binds attribute assertions to underlying communication
- not limited to HTTP
Question: Is there glue work to be done here by the IETF?
12 support, a couple object
EKR4:
- eliot's dad problem
part of EKR1 & EKR 2
There seem to be strong support for working on the EKR 1 and EKR 2,
weak support for the EKR 3, and a general agreement that EKR 4 should
not be forgotten, although it was unclear whether EKR 4 needed to be
solved separately from EKR 1 and EKR 2.
There also seemed to be general agreement that we should focus our
efforts on fixing HTTP browsing first, non-browsing second, and not
worry about cross application credentials.
Lisa and the IESG now have to determine whether there should be
another BoF, separate BoFs for separate working groups or to do
something else. Work done by other organizations, such as W3C, also
need to take into account and note needs to be taken of UI concerns.
Meeting concluded 15 minutes late.
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
