Web Bot Auth, IETF 124, Montréal Canada, Tue 4 Nov 2025

• Eric Rescorla, Martin Thomson, Brian Campbell pushed back on the
  documents and asked to understand the problem and define use cases
  first
• Brian Campbell suggested mTLS as a better (less costly) approach
• Jonathan Hoyland: impersonation risk of .well-known URL. Anyone can
  host anyone's public key on their own URL.
• Aaron Parecki: asked to be reminded about the problem trying to
  solve
• Kevin O'Connor: expects the overall ecosystem effect to be negative

The chairs decided to skip the detailed proposal sessions and go back
for context

Mark Nottingham: represents the original motivation from 123 BoF

• Martin Thomson: frames the problem as about reputation and being
  able to offer bots higher levels of service
• Eric Rescorla: the internet is for users, don't care what happens to
  the bots. Anonymous browsing is good - don't want to kill anonymous
  browsing. Want to reframe as, how do we protect sites from bots that
  generate high traffic? Rather than being able to discriminate
  specific bots

• Aaron Parecki: is bot too poorly-defined? Would it be useful to
  limit to crawlers?

  • David Schinazi: most cases are crawlers but as discussed in the
    charter, it does cover agents/"fetchers". But the end user is
    explicitly out of scope.

• Daniel Gillmor: also concerned about the ecosystem risk. Imagine a
  Consumer Reports bot wants to check what an anonymous human would
  see in terms of pricing, but being forced to identify itself

• Thibault Meunier: we did jump to a solution in the proposal. But we
  are also looking to get bots fair access to the internet, that have
  different patterns

• Alissa Cooper: do we really care about the identity of the bot? Or
  is it a proxy for the behavior of that bot? The identity seems like
  a poor proxy for reputation or deciding what "good behavior" looks
  like

  • Mark Nottingham: it has nice properties but also the risk of bot
    centralization because bots reputation will build up over time
  • Samuel Schlesinger: Consumer Reports scenario is very
    compelling. If we enable a site to block Consumer Reports that
    is a bad outcome

• John Levine: feels very similar to email and spam problems there.
  Email reputation is not perfect but it's had three decades to
  evolve. Definitely consider the bad ideas that were considered along
  the way too.

Sarah McKenna presents

• Daniel Gillmor: also concerned about the ecosystem risk. Imagine a
  bot wants to check what an anonymous human would see in terms of
  pricing, but being forced to identify itself
• Alisa Cooper: commercial actors will be just fine. We should focus
  on those independent good actors who may not be well-resourced
• Daniel Gillmor: if the cat and mouse game continues either way, then
  it seems like the total impact of web bot auth would be to provide a
  fast lane for well-resourced providers

David Schinazi: as chairs perhaps we jumped the gun and should've had
another BoF. Hear loud and clear there are many in the room who disagree
with the current charter.