Minutes for HTTPAUTH at IETF-95
minutes-95-httpauth-1

The HTTP-Auth met for an hour at IETF 95. There were about 30 people in 
the room.

There were two items on the agenda:

Item #1 - Wrap up of MutualAuth
===============================
Rifaat presented the remaining issues because Yutaka Oiwa was not in 
the room, but Yutaka was able to join the discussion through MeetEcho.
There were four open issues following the review by Cory Benfield, 
Melinda Shore and Peter Yee of the MutualAuth documents:

  Issue #1: Current draft names the successful response codes directly:
            200 and 206. Instead it was suggested to treat all non-
            interim responses as successful (as far as authentication 
            goes), and single out 401 as MUST NOT.
  The group was OK with the suggested change.
  
  Issue #2: parameter quoting. Should we mandate either quoted or 
            unquoted? Alexey said that since both applications need to
            accept both, we don't need to mandate one or the other.
  The group agreed.
  
  Issue #3: additional hashing for compatibility with old (hashed with
            MD5 or SHA1) databases. 
  There was an overwhelming consensus to not add SHA256 (no such 
  databases that we know of), and a somewhat rougher consensus to drop 
  the whole additional hashing.
  
  Issue #4: web/Web, "web sites"/"websites"
  The group (at Alexey's suggestion) decided to leave it to the RFC editor.
  
The authors will generate new drafts with the fixes and changes. We 
hope to go to WGLC in May, followed my submission to the IESG soon after.
  
Item #2 - SRP
=============
Yaron Sheffer presented his and Rifaat's draft for SRP authentication 
in HTTP. The attendees in the room showed overwhelmingly no interest 
in pursuing this, but will confirm on the list.