Secure Web Auth
Session: Tuesday – Session 3 - L
Convener: Yutaka OIWA
A. Tags for the session
technology discussed/ideas considered:
- Secure Web Authentication
B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps
Presentation is available at: https://staff.aist.go.jp/y.oiwa/publications/2010-IIW10-MutualAuth-P.pdf
Questions from the floor:
(identities of questioners wanted!)
- Q(___) How about the header format?
- A. The protocol uses a format based on RFC 2617, compatible with existing protocols.
- Q(___) Scalability issues
- A. The protocol supports a domain-based single-sign-on (e.g. *.yahoo.com).
- Cross-domain authentication might be useful with integration to existing authentication mechanisms (e.g. SAML, OpenID etc.)
- Q(___) Compatibility with existing applications and their migration
- A. It requires a small change to existing applications.
- It includes several extensions to existing HTTP auth mechanisms, which enables migration of current (form-authentication-based) applications to our scheme without changing the whole design of website (current Basic/Digest auth has difficulty on user-experience compatibility). For example, it includes support for guest-user support (optional authentication), server-initiated forced logout, redirection of unauthenticated users to dedicated log-in pages, and others.
- Q(___) Compatibility with existing browsers
- A. Browsers must also be extended. We already implemented it on Mozilla codebase and see how much modification needed.
- Q(___) How to migrate from or co-exist with existing auth, such as Form auth or Basic?
- A. Application frameworks can support parallel support with Form-based auth (because existing browsers simply ignore our WWW-Authenticate headers). Parallel support with Basic auth may need some additional functionality for negotiations (HTTP spec supports two or more WWW-Authenticate headers at the same time, but it does not work well on existing code).
- Q(___) Standardization issues and schedules
- A. We are working on IETF to making this a WG issue. Originally handled in HTTPBIS WG, now under OAuth WG temporarily. We maybe need a new WG for this and related issues. We want it within around 1 year.
- Q(___) Real-world experiences, deployment and field-tests.
- A. We’ve done a field test on “Yahoo! Japan Auction Trial” website. We’ve got a feedback on deployability and compatibility with existing web applications. For scalability and user-experience we may need more testing in a near future.