Secure Web Auth

From IIW

Session: Tuesday – Session 3 - L

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Yutaka OIWA

Notes-taker(s): Yutaka OIWA, Tatsuya HAYASHI

A. Tags for the session

technology discussed/ideas considered:

  • Secure Web Authentication

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Presentation is available at: https://staff.aist.go.jp/y.oiwa/publications/2010-IIW10-MutualAuth-P.pdf

Questions from the floor:

(identities of questioners wanted!)
Q(___) How about the header format?
A. The protocol uses a format based on RFC 2617, compatible with existing protocols.
Q(___) Scalability issues
A. The protocol supports a domain-based single-sign-on (e.g. *.yahoo.com).
Cross-domain authentication might be useful with integration to existing authentication mechanisms (e.g. SAML, OpenID etc.)
Q(___) Compatibility with existing applications and their migration
A. It requires a small change to existing applications.
It includes several extensions to existing HTTP auth mechanisms, which enables migration of current (form-authentication-based) applications to our scheme without changing the whole design of website (current Basic/Digest auth has difficulty on user-experience compatibility). For example, it includes support for guest-user support (optional authentication), server-initiated forced logout, redirection of unauthenticated users to dedicated log-in pages, and others.
Q(___) Compatibility with existing browsers
A. Browsers must also be extended. We already implemented it on Mozilla codebase and see how much modification needed.
Q(___) How to migrate from or co-exist with existing auth, such as Form auth or Basic?
A. Application frameworks can support parallel support with Form-based auth (because existing browsers simply ignore our WWW-Authenticate headers). Parallel support with Basic auth may need some additional functionality for negotiations (HTTP spec supports two or more WWW-Authenticate headers at the same time, but it does not work well on existing code).
Q(___) Standardization issues and schedules
A. We are working on IETF to making this a WG issue. Originally handled in HTTPBIS WG, now under OAuth WG temporarily. We maybe need a new WG for this and related issues. We want it within around 1 year.
Q(___) Real-world experiences, deployment and field-tests.
A. We’ve done a field test on “Yahoo! Japan Auction Trial” website. We’ve got a feedback on deployability and compatibility with existing web applications. For scalability and user-experience we may need more testing in a near future.