Web Authentication Enhancement BOF (WAE)

1
Web Authentication Enhancement BOF (WAE)

• Chair Pete Resnick
• IETF 66

2
Agenda (1)

• Scribes, blue sheets, agenda bash - 2 min.
• Getting terms straight - 10 minutes
• Problems we are trying to solve - 55 min.
• Discuss what sort of authentication/identification
  from user to server is desired
• Anti-phishing discussion here
• Discuss what sort of attribute info from user to
  server is desired
• Discuss whether remote storage of attributes is
  desired
• Discuss whether 3rd-party claims are desired

3
Agenda (2)

• Mechanisms to use? - 55 min.
• Discuss downsides of using current web auth
  mechanisms (i.e., user-agent changes)
• Discuss downsides of using mechanisms that
  include no user-agent changes
• Discuss authentication mechanism in light of
  above discussions
• What work items do we have? - 28 min.
• Enumerate work items
• Enumerate documents (if different than above)
• Enumerate editors
• End

4
Terminology

• Reading assignment RFC 2828
• Authentication
• Authorization
• Credential
• Attribute
• Assertion
• Others?

5
Problems we want to solve

• Capture-Resistant Credentials (CRC)
• Hijack-Resistant Authentication (HRA)
• Portable Credentials (PC)
• Fill-in of Personal Information (FPI)
• Common User Credentials (CUC)
• Continuity of Identity (CI)
• User-Friendly Names (UFN)
• Assertion of External Claims (AEC)
• Independent Assertion of Claims (IAC)
• Private Authentication (PA)
• Single Site Unlinkability (SSU)
• Multiple Site Unlinkability (MSU)
• Attack Resistant Credentials (ARC)

6
Mechanisms/Architectures

• Bare Cryptographic Identifier (CRC, HRA, CUC, CI,
  PA)
• Identity Certificates (Above UFN)
• Signature Key Server (PC whatever)
• Attribute Certificates (CRC, HRA, FPI (some), PC
  (w/ key server), CUC, CI, UFN, AEC, IAC, PA)
• Identity Provider (PC, CUC, CI, UFN, maybe PA)
• w/assertions (FPI, AEC, IAC)
• w/authentication (CRC, HRA)