Web Authentication Enhancement BOF (WAE)
FRIDAY, July 14, 2006 
0900-1130 Morning Session I
Room 519A

Chair: Pete Resnick

Mailing list discussion (see <https://www1.ietf.org/mailman/listinfo/dix>) has continued with regard to Digital Identity Exchange specifically and web authentication generally. This BOF will followup to that discussion including:

- Discussion of the scope and number of the mechanisms. There seem to be desires for (1) the ability for the user to identify to the server (probably authenticating, preventing phishing as much as possible), (2) the ability to transfer user attributes to the server, (3) the ability to store user attributes remotely, and (4) the ability for a 3rd-party to warrant user attribute claims.

- Discussion of the pros and cons of mechanisms that involve changes to the user agent versus mechanisms which rely on a separate identity server to do all of the work without changing the user agent (e.g., DIX).

- Discussion of the types of authentication mechanisms to be used.  (Some comments on the mailing list indicate it should be a general mechanism not tied to HTTP, others indicate that the underlying mechanism should be common but that there should be HTTP-specific protocol, and others have no interest in solving that particular problem. :-) )

In the chair's opinion these discussions needn't be spurred by presentations. Most of this is going to be a high-level discussion and should definitely not reference any particular mechanism. (If logistics permit, we will use a "pass the mic" format instead of standing in a queue at the mics, and the chair will do floor control.) With that in mind, the meeting agenda will be:

(Pre-meeting: Find minutes and jabber people - volunteers NOW would be useful!!)
- Start passing blue sheets, Agenda bash - 2 minutes
- What problems are we trying to solve? - 1 hour
   - Discuss what sort of authentication/identification from user to server is desired
      - Anti-phishing discussion here
   - Discuss what sort of attribute info from user to server is desired
   - Discuss whether remote storage of attributes is desired
   - Discuss whether 3rd-party claims are desired
- What sorts of mechanisms should we use? - 1 hour
   - Discuss downsides of using current web auth mechanisms (i.e., user-agent changes)
   - Discuss downsides of using mechanisms that include no user-agent changes
   - Discuss authentication mechanism in light of above discussions
- What work items do we have? - 28 minutes
   - Enumerate work items
   - Enumerate documents (if different than above)
   - Enumerate editors
- End