Secure Web Auth: Against Phishing, IETF Draft, Implementation, Next-gen ideas, Demo! (T3L) URL:

Convener: Yutaka OIWA Notes-taker(s): Yutaka OIWA, Tatsuya HAYASHI

Tags for the session - technology discussed/ideas considered:

Secure Web Auth

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Presentation is available at: https://staff.aist.go.jp/y.oiwa/publications/2010-IIW10-MutualAuth-P.pdf

Questions from the floor: (identities of questioners wanted!)

	Q(___) How about the header format?

	A. The protocol uses a format based on RFC 2617, compatible with existing protocols.

	Q(___) Scalability issues

	A. The protocol supports a domain-based single-sign-on (e.g. *.yahoo.com). Cross-domain authentication might be useful with integration to existing authentication mechanisms (e.g. SAML, OpenID etc.)

	Q(___) Compatibility with existing applications and their migration

	A. It requires a small change to existing applications. It includes several extensions to existing HTTP auth mechanisms, which enables migration of current (form-authentication-based) applications to our scheme without changing the whole design of website (current Basic/Digest auth has difficulty on user-experience compatibility). For example, it includes support for guest-user support (optional authentication), server-initiated forced logout, redirection of unauthenticated users to dedicated log-in pages, and others.

	Q(___) Compatibility with existing browsers

	A. Browsers must also be extended. We already implemented it on Mozilla codebase and see how much modification needed.

	Q(___) How to migrate from or co-exist with existing auth, such as Form auth or Basic?

	A. Application frameworks can support parallel support with Form-based auth (because existing browsers simply ignore our WWW-Authenticate headers). Parallel support with Basic auth may need some additional functionality for negotiations (HTTP spec supports two or more WWW-Authenticate headers at the same time, but it does not work well on existing code).

	Q(___) Standardization issues and schedules

	A. We are working on IETF to making this a WG issue. Originally handled in HTTPBIS WG, now under OAuth WG temporarily. We maybe need a new WG for this and related issues. We want it within around 1 year.

	Q(___) Real-world experiences, deployment and field-tests.

	A. We’ve done a field test on “Yahoo! Japan Auction Trial” website. We’ve got a feedback on deployability and compatibility with existing web applications. For scalability and user-experience we may need more testing in a near future.