Web Authentication Enhancement BOF (WAE)

Chair: Pete Resnick

IETF 66

Agenda (1)• Scribes, blue sheets, agenda bash - 2 min.• Getting terms straight - 10 minutes• Problems we are trying to solve - 55 min.

– Discuss what sort of authentication/identification from user to server is desired

• Anti-phishing discussion here

– Discuss what sort of attribute info from user to server is desired

– Discuss whether remote storage of attributes is desired

– Discuss whether 3rd-party claims are desired

Agenda (2)• Mechanisms to use? - 55 min.

– Discuss downsides of using current web auth mechanisms (i.e., user-agent changes)

– Discuss downsides of using mechanisms that include no user-agent changes

– Discuss authentication mechanism in light of above discussions

• What work items do we have? - 28 min.– Enumerate work items– Enumerate documents (if different than above)– Enumerate editors

• End

Terminology

• Reading assignment: RFC 2828• Authentication• Authorization• Credential• Attribute• Assertion• Others?

Problems we want to solve• Capture-Resistant Credentials (CRC)• Hijack-Resistant Authentication (HRA)• Portable Credentials (PC)• Fill-in of Personal Information (FPI)• Common User Credentials (CUC)• Continuity of Identity (CI)• User-Friendly Names (UFN)• Assertion of External Claims (AEC)• Independent Assertion of Claims (IAC)• Private Authentication (PA)• Single Site Unlinkability (SSU)• Multiple Site Unlinkability (MSU)• Attack Resistant Credentials (ARC)

Mechanisms/Architectures• Bare Cryptographic Identifier (CRC, HRA,

CUC, CI, PA)• Identity Certificates (Above + UFN)• Signature + Key Server (PC + whatever)• Attribute Certificates (CRC, HRA, FPI (some),

PC (w/ key server), CUC, CI, UFN, AEC, IAC, PA)

• Identity Provider (PC, CUC, CI, UFN, maybe PA)– w/assertions (FPI, AEC, IAC)– w/authentication (CRC, HRA)