Web Bot Auth
charter-ietf-webbotauth-01
Revision differences
Document history
| Date | Rev. | By | Action |
|---|---|---|---|
|
2025-10-23
|
01 | Morgan Condie | New version available: charter-ietf-webbotauth-01.txt |
|
2025-10-23
|
00-04 | Morgan Condie | State changed to Approved from External Review (Message to Community, Selected by Secretariat) |
|
2025-10-23
|
00-04 | Morgan Condie | IESG has approved the charter |
|
2025-10-23
|
00-04 | Morgan Condie | Closed "Approve" ballot |
|
2025-10-23
|
00-04 | Morgan Condie | WG action text was changed |
|
2025-10-23
|
00-04 | Mike Bishop | New version available: charter-ietf-webbotauth-00-04.txt |
|
2025-10-23
|
00-03 | Éric Vyncke | [Ballot comment] Thanks for implementing my suggestions on 00-00 |
|
2025-10-23
|
00-03 | Éric Vyncke | [Ballot Position Update] New position, Yes, has been recorded for Éric Vyncke |
|
2025-10-22
|
00-03 | Deb Cooley | [Ballot Position Update] New position, Yes, has been recorded for Deb Cooley |
|
2025-10-22
|
00-03 | Mike Bishop | [Ballot Position Update] New position, Yes, has been recorded for Mike Bishop |
|
2025-10-22
|
00-03 | Gunter Van de Velde | [Ballot Position Update] New position, No Objection, has been recorded for Gunter Van de Velde |
|
2025-10-21
|
00-03 | Andy Newton | [Ballot Position Update] New position, No Objection, has been recorded for Andy Newton |
|
2025-10-21
|
00-03 | Mahesh Jethanandani | [Ballot comment] I read Paul's comment and had to look in the milestones list to find the sentence he was referencing. If what he mentioned … [Ballot comment] I read Paul's comment and had to look in the milestones list to find the sentence he was referencing. If what he mentioned is true, I would have similar concerns about the onus being on the server, and not the bot, for additional information. Can this be clarified? |
|
2025-10-21
|
00-03 | Mahesh Jethanandani | [Ballot Position Update] New position, No Objection, has been recorded for Mahesh Jethanandani |
|
2025-10-21
|
00-03 | Roman Danyliw | [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw |
|
2025-10-21
|
00-03 | Mohamed Boucadair | [Ballot comment] Hi all, I support this effort. I still have a comment about this part: CURRENT: Current solutions (such as IP allowlisting, User-Agent … [Ballot comment] Hi all, I support this effort. I still have a comment about this part: CURRENT: Current solutions (such as IP allowlisting, User-Agent strings, and shared API keys) have significant limitations regarding security, scalability, and manageability. It might be helpful to have a document (not targeting to be published as RFC) to inventory these limitations and under which conditions these are encountered. Having a commonly agreed set would help assess the new methods and also inform target deployments. Cheers, Med |
|
2025-10-21
|
00-03 | Mohamed Boucadair | [Ballot Position Update] New position, Yes, has been recorded for Mohamed Boucadair |
|
2025-10-21
|
00-03 | Jim Guichard | [Ballot Position Update] New position, No Objection, has been recorded for Jim Guichard |
|
2025-10-20
|
00-03 | Paul Wouters | [Ballot comment] One question I have is on the 2nd deliverable, "mechanism for web servers to request additional bot information". This seems to put the … [Ballot comment] One question I have is on the 2nd deliverable, "mechanism for web servers to request additional bot information". This seems to put the onus on the webserver to process (malicious?) bot information to make future decisions on whether to allow authentication. Why is this not the reverse, eg the bot getting additional information from the webserver and the bots need to go out and get their permission settled to authenticate and be allowed? |
|
2025-10-20
|
00-03 | Paul Wouters | [Ballot Position Update] New position, Yes, has been recorded for Paul Wouters |
|
2025-10-09
|
00-03 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
|
2025-10-06
|
00-03 | Gorry Fairhurst | [Ballot comment] I expect this to be a valuable activity. |
|
2025-10-06
|
00-03 | Gorry Fairhurst | [Ballot Position Update] New position, Yes, has been recorded for Gorry Fairhurst |
|
2025-10-02
|
00-03 | Morgan Condie | Telechat date has been changed to 2025-10-23 (Previous date was 2025-09-25) |
|
2025-10-02
|
00-03 | Morgan Condie | Created "Approve" ballot |
|
2025-10-02
|
00-03 | Morgan Condie | Closed "Ready for external review" ballot |
|
2025-10-02
|
00-03 | Morgan Condie | State changed to External Review (Message to Community, Selected by Secretariat) from Start Chartering/Rechartering (Internal Steering Group/IAB Review) |
|
2025-10-02
|
00-03 | Morgan Condie | WG new work message text was changed |
|
2025-10-02
|
00-03 | Morgan Condie | WG review text was changed |
|
2025-10-02
|
00-03 | Morgan Condie | WG review text was changed |
|
2025-10-02
|
00-03 | Morgan Condie | WG review text was changed |
|
2025-10-02
|
00-03 | Morgan Condie | WG review text was changed |
|
2025-10-02
|
00-03 | Morgan Condie | WG review text was changed |
|
2025-10-02
|
00-03 | Mike Bishop | New version available: charter-ietf-webbotauth-00-03.txt |
|
2025-09-25
|
00-02 | Deb Cooley | [Ballot Position Update] New position, Yes, has been recorded for Deb Cooley |
|
2025-09-24
|
00-02 | Roman Danyliw | [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw |
|
2025-09-24
|
00-02 | Ketan Talaulikar | [Ballot comment] Thanks for putting this charter together and updates to clear my previous DISCUSS position. I support the formation of this WG. I would … [Ballot comment] Thanks for putting this charter together and updates to clear my previous DISCUSS position. I support the formation of this WG. I would like to seek some clarifications on the following: 1) What is the difference between the following two that are both out of scope? Can they be combined? "- Authenticating the end user of a participating client or agent" "There is significant ongoing work for "agents," where a non-browser client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope." 2) Regarding this text: "There is significant ongoing work for "agents," where a non-browser client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope." Is that ongoing work happening in the IETF or in other SDOs? Can some of them be called out for coordination/liaisons? 3) Regarding this deliverable: "A mechanism for web servers to retrieve more information about a requesting bot via an existing widely-used identifier (such as a domain name, hostname, or URL)." What kind of document is that expected to be? I ask because the other two deliverables mention the track but this one does not. |
|
2025-09-24
|
00-02 | Ketan Talaulikar | [Ballot Position Update] Position for Ketan Talaulikar has been changed to No Objection from Block |
|
2025-09-24
|
00-02 | Mike Bishop | [Ballot Position Update] New position, Yes, has been recorded for Mike Bishop |
|
2025-09-24
|
00-02 | Mike Bishop | Added charter milestone "Standards track specification(s) describing a means for conveying additional information about bots sent to the IESG", due April 2026 |
|
2025-09-24
|
00-02 | Mike Bishop | Changed charter milestone "Standards track specification(s) describing authentication technique(s) and a means for conveying additional information about bots sent to the IESG", set description to … Changed charter milestone "Standards track specification(s) describing authentication technique(s) and a means for conveying additional information about bots sent to the IESG", set description to "Standards track specification(s) describing authentication technique(s) sent to the IESG" |
|
2025-09-24
|
00-02 | Mike Bishop | New version available: charter-ietf-webbotauth-00-02.txt |
|
2025-09-24
|
00-01 | Mike Bishop | Responsible AD changed to Mike Bishop |
|
2025-09-24
|
00-01 | Orie Steele | [Ballot Position Update] New position, Yes, has been recorded for Orie Steele |
|
2025-09-24
|
00-01 | Ketan Talaulikar | [Ballot block] Thanks for putting this charter together. I support the formation of this WG. However, I have a concern with the following part of … [Ballot block] Thanks for putting this charter together. I support the formation of this WG. However, I have a concern with the following part of the charter: Input documents that the Working Group might consider for adoption include: - draft-meunier-web-bot-auth-architecture - draft-meunier-http-message-signatures-directory Placing these 2 documents in the charter might give an impression that the IESG is expressing is a preference for them. I would prefer if the WG follows the usual process to pick the individual documents it wishes to via normal WG consensus. Note: I am not an expert in this area/topic and the above two documents may actually be an excellent starting point. So, no prejudice for or against those documents. |
|
2025-09-24
|
00-01 | Ketan Talaulikar | [Ballot comment] I would like to seek some clarifications on the following: 1) What is the difference between the following two that are both out … [Ballot comment] I would like to seek some clarifications on the following: 1) What is the difference between the following two that are both out of scope? Can they be combined? "- Authenticating the end user of a participating client or agent" "There is significant ongoing work for "agents," where a non-browser client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope." 2) Regarding this text: "There is significant ongoing work for "agents," where a non-browser client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope." Is that ongoing work happening in the IETF or in other SDOs? Can some of them be called out for coordination/liaisons? 3) Regarding this deliverable: "A mechanism for web servers to retrieve more information about a requesting bot via an existing widely-used identifier (such as a domain name, hostname, or URL)." What kind of document is that expected to be? I ask because the other two deliverables mention the track but this one does not. |
|
2025-09-24
|
00-01 | Ketan Talaulikar | [Ballot Position Update] New position, Block, has been recorded for Ketan Talaulikar |
|
2025-09-24
|
00-01 | Paul Wouters | [Ballot comment] This work needs to get done, thanks for starting it. I am also worried about the "A way for web servers to learn … [Ballot comment] This work needs to get done, thanks for starting it. I am also worried about the "A way for web servers to learn more information about the bot" sentence, as providing a secure method for this might overly complicate the simple use case of bot authentication. eg an X.509 extension might bring this "for free", but other solutions not part of the base authentication might not. |
|
2025-09-24
|
00-01 | Paul Wouters | [Ballot Position Update] New position, Yes, has been recorded for Paul Wouters |
|
2025-09-24
|
00-01 | Mohamed Boucadair | [Ballot comment] Hi all, I support this effort. I appreciate that the WG will deliver a document that will provided operational considerations. I have one … [Ballot comment] Hi all, I support this effort. I appreciate that the WG will deliver a document that will provided operational considerations. I have one comment about this part: CURRENT: Current solutions (such as IP allowlisting, User-Agent strings, and shared API keys) have significant limitations regarding security, scalability, and manageability. It might be helpful to have a document (not targeting to be published as RFC) to inventory these limitations and under which conditions these are encountered. Having a commonly agreed set would help assess the new methods and also inform target deployments. Cheers, Med |
|
2025-09-24
|
00-01 | Mohamed Boucadair | [Ballot Position Update] New position, Yes, has been recorded for Mohamed Boucadair |
|
2025-09-23
|
00-01 | Mahesh Jethanandani | [Ballot comment] Absolutely support the work. This appears to be a very short-lived WG with work getting completed by April 2026. Any reason this could … [Ballot comment] Absolutely support the work. This appears to be a very short-lived WG with work getting completed by April 2026. Any reason this could not be done in any existing WG? |
|
2025-09-23
|
00-01 | Mahesh Jethanandani | [Ballot Position Update] New position, No Objection, has been recorded for Mahesh Jethanandani |
|
2025-09-23
|
00-01 | Andy Newton | [Ballot Position Update] New position, No Objection, has been recorded for Andy Newton |
|
2025-09-23
|
00-01 | Mike Bishop | New version available: charter-ietf-webbotauth-00-01.txt |
|
2025-09-23
|
00-00 | Jim Guichard | [Ballot Position Update] New position, No Objection, has been recorded for Jim Guichard |
|
2025-09-16
|
00-00 | Gorry Fairhurst | [Ballot comment] I expect this to be a valuable activity. I was however, unsure what sort of document the following would produce: "A way for … [Ballot comment] I expect this to be a valuable activity. I was however, unsure what sort of document the following would produce: "A way for web servers to learn more information about the bot,..." or what activity this envisaged for the WG to perform, some clarification would imporve the Charter. |
|
2025-09-16
|
00-00 | Gorry Fairhurst | [Ballot Position Update] New position, Yes, has been recorded for Gorry Fairhurst |
|
2025-09-16
|
00-00 | Éric Vyncke | [Ballot comment] Strong support for this WG, let's hope that it can deliver fast. Nevertheless two comments: Will `In particular, there is significant activity around … [Ballot comment] Strong support for this WG, let's hope that it can deliver fast. Nevertheless two comments: Will `In particular, there is significant activity around so-called agentic use cases` age well ? E.g., in 1 year ? What is the intended publication status (if any) for `A way for web servers to learn more information` |
|
2025-09-16
|
00-00 | Éric Vyncke | [Ballot Position Update] New position, Yes, has been recorded for Éric Vyncke |
|
2025-09-13
|
00-00 | Erik Kline | [Ballot Position Update] New position, Yes, has been recorded for Erik Kline |
|
2025-09-11
|
00-00 | Cindy Morgan | Placed on agenda for telechat - 2025-09-25 |
|
2025-09-11
|
00-00 | Mike Bishop | WG action text was changed |
|
2025-09-11
|
00-00 | Mike Bishop | WG review text was changed |
|
2025-09-11
|
00-00 | Mike Bishop | WG review text was changed |
|
2025-09-11
|
00-00 | Mike Bishop | Created "Ready for external review" ballot |
|
2025-09-11
|
00-00 | Mike Bishop | Closed "Ready for external review" ballot |
|
2025-09-11
|
00-00 | Mike Bishop | State changed to Start Chartering/Rechartering (Internal Steering Group/IAB Review) from Draft Charter |
|
2025-09-11
|
00-00 | Mike Bishop | Added charter milestone "Best Current Practice operational specification sent to the IESG", due August 2026 |
|
2025-09-11
|
00-00 | Mike Bishop | Added charter milestone "Standards track specification(s) describing authentication technique(s) and a means for conveying additional information about bots sent to the IESG", due April 2026 |
|
2025-09-11
|
00-00 | Mike Bishop | State changed to Draft Charter from Start Chartering/Rechartering (Internal Steering Group/IAB Review) |
|
2025-09-11
|
00-00 | Mike Bishop | WG action text was changed |
|
2025-09-11
|
00-00 | Mike Bishop | WG review text was changed |
|
2025-09-11
|
00-00 | Mike Bishop | WG review text was changed |
|
2025-09-11
|
00-00 | Mike Bishop | Created "Ready for external review" ballot |
|
2025-09-11
|
00-00 | Mike Bishop | Importing draft from Google doc. |
|
2025-09-11
|
00-00 | Mike Bishop | State changed to Start Chartering/Rechartering (Internal Steering Group/IAB Review) from Not currently under review |
|
2025-09-11
|
00-00 | Mike Bishop | New version available: charter-ietf-webbotauth-00-00.txt |