• Scope
• Deliverables
• Schedule
• Dependencies
• Meetings
• Confidentiality
• Communication
• Patent Policy
• About this Charter

DRAFT

Form Annotations for Web Authentication
Working Group Charter

Last Changed

$Date: 2006/09/07 08:41:32 $

By

$Author: roessler $

Status of this document

This draft is work in progress, and may change without notice. W3C Members, participants in the W3C Workshop on Transparency and Usability of Web Authentication, and other interested parties, are welcome to discuss this draft on the mailing list public-usable-authentication (public archive). W3C Members may also wish to share their comments with their fellow Members on the internal mailing list.

In the interest of brevity, standard template material has been removed from this charter.

The mission of this working group is to define a mechanism to annotate Web forms to support both better client-side credential management, and integration of form-based input mechanisms with protocol-level authentication mechanisms such as HTTP Digest Authentication.

Background and Scope

Authentication on the Web is, today, largely based on the entry of user names and passwords through HTML forms, and their submission through HTTP POST. Session management on the basis of browser cookies or hidden form fields is then used to keep authentication state for further transactions. Existing mechanisms for HTTP Authentication [RFC 2617] are ignored in these scenarios.

To assist users in these situations, web user agents are typically able to cache user names and passwords. This caching is based on heuristic recognition of those form fields that are used for authentication information; consequently, they fail in slightly a-typical situations.

This working group is chartered to develop a mechanism for annotating HTML forms, to

• enable user agents to use the contents of appropriate form fields as parameters for existing or emerging authentication mechanisms on a protocol level; the mechanism will at least support HTTP Digest Authentication, and other authentication mechanisms as the working group sees fit.
• enable user agents to reliably recognize form fields that are used for the entry of credentials, to appropriately assist users with the management and generation of credentials.

Key requirements include:

• machine-readable identification of form controls that are used to solicit credentials;
• use of certain form controls as parameters for protocol-level authentication mechanisms, e.g., HTTP Authentication;
• supporting automatic generation of credentials where appropriate, e.g., by giving regular expressions that passwords need to match;
• graceful degradation of new-style form controls in legacy user agents to enable iterative deployment.

This Working Group is not chartered to develop new authentication protocols.

Deliverables

The group should deliver:

• a requirements document
• a W3C Recommendation that describes an annotation mechanism for HTML forms as described above.

Dependencies

W3C Groups

The Web Security Context Baseline Working Group should coordinate its activities with other relevant W3C Working Groups, specifically:

Web Application Formats

The mission of the W3C Web Application Formats Working Group is to develop specifications that enable improved client-side application development on the Web. This includes the development of languages for applications, especially user interfaces.

W3C Form work

This group will coordinate with related work in other W3C Activities through the Hypertxt Coordination Group.

External Groups

The following is a tentative list of external bodies that the Working Group should collaborate with:

Internet Engineering Task Force

The IETF community is, as of fall 2006, considering new work on enhancements in Web Authentication. It is expected that any working groups emerging from these considerations will need to liaise with this working group.

OASIS

The OASIS Security Services Technical Committee is chartered to define and maintain a standard, XML-based framework for creating and exchanging security information between online partners.

Liberty Alliance

Liberty Alliance is developing an open standard for federated network identity that supports all current and emerging network devices.

  


  $Log: htmlauth-charter.html,v $
  Revision 1.34  2006/09/07 08:41:32  roessler
  Layout change per Susan Lesch's suggestion.

  Revision 1.33  2006/09/05 22:55:17  roessler
  update per conversation with Ian

  Revision 1.32  2006/08/24 15:13:00  roessler
  Update re relationship with other forms work.

  Revision 1.31  2006/08/23 15:44:48  roessler
  Changelog formatting, again.

  Revision 1.30  2006/08/23 15:37:07  roessler
  Clean up some boilerplate material.

  Revision 1.29  2006/08/18 13:49:50  roessler
  Fix change log formatting

  Revision 1.28  2006/08/18 13:47:58  roessler
  Rename the form annotation group; add boilerplate material; 
  move to different template.

  Revision 1.27  2006/08/08 13:54:27  roessler
  Editorial nits.

  Revision 1.26  2006/08/07 13:59:20  roessler
  Phrase core of the document to be independent of HTTP.

  Revision 1.25  2006/08/07 13:45:49  roessler
  limit total width of text

  Revision 1.24  2006/08/07 13:07:37  roessler
  valid XHTML

  Revision 1.23  2006/08/07 12:56:26  roessler
  Add tentative time line.

  Revision 1.22  2006/07/05 00:12:24  roessler
  Markup fix.

  Revision 1.21  2006/07/03 09:26:59  roessler
  Add change log.