DRAFT
Form Annotations for Web Authentication
Working Group Charter
- Last Changed
- $Date: 2006/09/07 08:41:32 $
- By
- $Author: roessler $
- Status of this document
- This draft is work in progress, and may change without
notice. W3C Members, participants in the W3C Workshop on
Transparency and Usability of Web Authentication, and other
interested parties, are welcome to discuss this draft on the mailing
list public-usable-authentication
(public archive).
W3C Members may also wish to share their comments with their fellow
Members on the internal mailing list.
In the interest of brevity, standard template material has been
removed from this charter.
The mission of this working group is to define a
mechanism to annotate Web forms to support both better client-side credential
management, and integration of form-based input mechanisms with
protocol-level authentication mechanisms such as HTTP Digest
Authentication.
Background and Scope
Authentication on the Web is, today, largely based on the entry of user
names and passwords through HTML forms, and their submission through HTTP
POST. Session management on the basis of browser cookies or hidden form
fields is then used to keep authentication state for further transactions.
Existing mechanisms for HTTP Authentication [RFC 2617] are ignored in these
scenarios.
To assist users in these situations, web user agents are typically able to
cache user names and passwords. This caching is based on heuristic
recognition of those form fields that are used for authentication
information; consequently, they fail in slightly a-typical situations.
This working group is chartered to develop a mechanism for annotating HTML
forms, to
- enable user agents to use the contents of appropriate form fields as
parameters for existing or emerging authentication mechanisms on a
protocol level; the mechanism will at least support HTTP Digest
Authentication, and other authentication mechanisms as the working group
sees fit.
- enable user agents to reliably recognize form fields that are used for
the entry of credentials, to appropriately assist users with the
management and generation of credentials.
Key requirements include:
- machine-readable identification of form controls that are used to
solicit credentials;
- use of certain form controls as parameters for protocol-level
authentication mechanisms, e.g., HTTP Authentication;
- supporting automatic generation of credentials where appropriate, e.g.,
by giving regular expressions that passwords need to match;
- graceful degradation of new-style form controls in legacy user agents
to enable iterative deployment.
This Working Group is not chartered to develop new authentication
protocols.
Deliverables
The group should deliver:
- a requirements document
- a W3C Recommendation that describes an annotation mechanism for HTML
forms as described above.
Dependencies
W3C Groups
The Web Security Context Baseline Working Group should coordinate its
activities with other relevant W3C Working Groups, specifically:
- Web
Application Formats
- The mission of the W3C Web Application Formats Working Group is to
develop specifications that enable improved client-side application
development on the Web. This includes the development of languages for
applications, especially user interfaces.
- W3C Form work
- This group will coordinate with related work in other W3C Activities
through the Hypertxt Coordination
Group.
External Groups
The following is a tentative list of external bodies that the Working
Group should collaborate with:
- Internet Engineering Task Force
- The IETF community is, as of fall 2006, considering new work on
enhancements in Web Authentication. It is expected that any working
groups emerging from these considerations will need to liaise with this
working group.
- OASIS
- The OASIS
Security Services Technical Committee is chartered to define and
maintain a standard, XML-based framework for creating and exchanging
security information between online partners.
- Liberty Alliance
- Liberty Alliance is developing an open standard for federated network
identity that supports all current and emerging network devices.
Change Log
$Log: htmlauth-charter.html,v $
Revision 1.34 2006/09/07 08:41:32 roessler
Layout change per Susan Lesch's suggestion.
Revision 1.33 2006/09/05 22:55:17 roessler
update per conversation with Ian
Revision 1.32 2006/08/24 15:13:00 roessler
Update re relationship with other forms work.
Revision 1.31 2006/08/23 15:44:48 roessler
Changelog formatting, again.
Revision 1.30 2006/08/23 15:37:07 roessler
Clean up some boilerplate material.
Revision 1.29 2006/08/18 13:49:50 roessler
Fix change log formatting
Revision 1.28 2006/08/18 13:47:58 roessler
Rename the form annotation group; add boilerplate material;
move to different template.
Revision 1.27 2006/08/08 13:54:27 roessler
Editorial nits.
Revision 1.26 2006/08/07 13:59:20 roessler
Phrase core of the document to be independent of HTTP.
Revision 1.25 2006/08/07 13:45:49 roessler
limit total width of text
Revision 1.24 2006/08/07 13:07:37 roessler
valid XHTML
Revision 1.23 2006/08/07 12:56:26 roessler
Add tentative time line.
Revision 1.22 2006/07/05 00:12:24 roessler
Markup fix.
Revision 1.21 2006/07/03 09:26:59 roessler
Add change log.
$Id: htmlauth-charter.html,v 1.34 2006/09/07 08:41:32 roessler Exp $