attachment
<div dir="ltr"><div><div>Hi,<br><br></div><div>A variety of updates to HTTP Basic and Digest (RFC 2617), including<br></div><div>UTF-8 and also four new HTTP-layer authentication mechanisms.<br><br></div><div>Cheers,<br></div>
</div>
- Ira<br><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Matthew Lepinski</b> <span dir="ltr"><<a href="mailto:mlepinski.ietf@gmail.com">mlepinski.ietf@gmail.com</a>></span><br>
Date: Wed, Mar 5, 2014 at 8:35 AM<br>Subject: [saag] HTTPAUTH @ IETF 89<br>To: <a href="mailto:saag@ietf.org">saag@ietf.org</a><br>Cc: Yoav Nir <<a href="mailto:ynir.ietf@gmail.com">ynir.ietf@gmail.com</a>><br><br>
<br>
<div dir="ltr">HTTPAUTH met on Monday at IETF 89.<div><br></div><div>The working group is preparing an update to Basic and Digest authentication. These documents will obsolete RFC 2617. The primary goal of this work is to support non-ASCII (i.e., UTF-8) characters in usernames (and passwords), and to provide hash-function agility for Digest authentication. Work on these documents is progressing well, and we expect to have a working group last call on Digest-bis (and perhaps even both documents) before Toronto in July.</div>
<div><br></div><div>In addition to updating Basic and Digest authentication, the group is working on four experimental drafts that specify brand new HTTP-layer authentication mechanisms that have security properties that cannot be obtained via Basic or Digest authentication.</div>
<div><br></div><div>At IETF 89 we had focused discussion on issues in the SCRAM (Salted Challenge Response Authentication Mechanism) [draft-ietf-httpauth-scram-auth]. The group is also working on the following experimental mechanisms (which were discussed only briefly at IETF 89): </div>
<div>-- Draft-ietf-http-mutual (a password authenticated key exchange)</div><div>-- Draft-ietf-http-hoba (origin-bound authentication for HTTP)</div><div>-- Draft-ietf-http-rest-auth (restful authentication pattern for HTTP) </div>
<div><br></div><div>The four experimental documents in the working group have not received sufficient review. If you believe that is valuable for the IETF to specify something better than Basic/Digest for HTTP-layer authentication, then please read one of the above documents and provide feedback on our list. </div>
<div><br></div><div>If we can get sufficient review on (at least some) of these documents, then we will publish experimental RFCs -- implementation experience with which would hopefully inform future standards track work on improved HTTP-layer authentication. If we do not get sufficient review of these documents, then we will declare victory after publishing updates to Basic and Digest and close the group.</div>
</div>
<br>_______________________________________________<br>
saag mailing list<br>
<a href="mailto:saag@ietf.org">saag@ietf.org</a><br>
<a href="https://www.ietf.org/mailman/listinfo/saag" target="_blank">https://www.ietf.org/mailman/listinfo/saag</a><br>
<br></div><br></div></div>