Dear people in OAuth WG mailing list, I recently updated the draft for HTTP Mutual Access Authorization Protocol. The draft is available from IETF website at <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-06>.
This protocol was first proposed to the httpbis WG, and as suggested there previously (in IETF 74), I send this to OAuth WG at this time. Although the protocol itself is designed separately from the OAuth protocol, I believe that this protocol is beneficial for many OAuth users. Please take a look on it, and comments are always welcome. This -06 revision is a minor update: I have integrated several useful comments received from many people. I'm very grateful for those comments. I'm going to attend both the OAuth WG and the Httpbis WG at Anaheim, So I'm looking forward to seeing you there. If you're interested, please search for us in Anaheim, and I can make a demonstration there. # The demonstration is also available on our website # <https://www.rcis.aist.go.jp/special/MutualAuth/>, but you will # need to install a browser with the protocol support there. A very short introduction: This protocol provides true mutual authentication between HTTP clients and servers using simple password-based authentication in a very secure way. This protocol enables clients to check whether the SERVER knows the user's entity (encrypted password), and also ensure that the client password itself will not be exposed to a peer server. By using this protocol we can protect the client's passwords from forged (phishing) servers. Furthermore, the mutual authentication provided by this protocol will also protect other important information from phishing attacks. More details are available on the draft and a preprint available from our website <https://www.rcis.aist.go.jp/special/MutualAuth/>. Some issues currently pending: o Format of the "Authentication-Control" header and other header fields extending the general HTTP authentication scheme, and harmonization of those with other draft proposals such as <http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0086.html> and Thomas' 308 status code proposal <http://lists.w3.org/Archives/Public/public-web-security/2010Jan/0001.html>. o Restructuring of the draft, possibly separating it to several parts, e.g. introduction, general HTTP extensions and Mutual authentication. I am currently planning to do it after the harmonization above. -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <[email protected]>, <[email protected]> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
