Re: Request for review and consensus -- draft-hartman-webauth-phishing
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 11 September 2008 13:35 UTC
Return-Path: <apps-discuss-bounces@ietf.org>
X-Original-To: apps-discuss-archive@ietf.org
Delivered-To: ietfarch-apps-discuss-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4386C3A6910; Thu, 11 Sep 2008 06:35:27 -0700 (PDT)
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B35373A679C for <apps-discuss@core3.amsl.com>; Thu, 11 Sep 2008 06:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.861
X-Spam-Level:
X-Spam-Status: No, score=-4.861 tagged_above=-999 required=5 tests=[AWL=-0.399, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, URIBL_PH_SURBL=1.787]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6o2SaAus9XiD for <apps-discuss@core3.amsl.com>; Thu, 11 Sep 2008 06:35:25 -0700 (PDT)
Received: from mx2.nic.fr (mx2.nic.fr [192.134.4.11]) by core3.amsl.com (Postfix) with ESMTP id 7BD043A68F9 for <discuss@ietf.org>; Thu, 11 Sep 2008 06:35:25 -0700 (PDT)
Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 0C1501C0172; Thu, 11 Sep 2008 15:35:27 +0200 (CEST)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 0676C1C016C; Thu, 11 Sep 2008 15:35:27 +0200 (CEST)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 0437C6C0674; Thu, 11 Sep 2008 15:35:27 +0200 (CEST)
Date: Thu, 11 Sep 2008 15:35:27 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Lisa Dusseault <lisa@osafoundation.org>, HTTP Working Group <ietf-http-wg@w3.org>, Apps Discuss <discuss@ietf.org>
Subject: Re: Request for review and consensus -- draft-hartman-webauth-phishing
Message-ID: <20080911133527.GA13697@nic.fr>
References: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
X-Operating-System: Debian GNU/Linux lenny/sid
X-Kernel: Linux 2.6.24-1-686 i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.18 (2008-05-17)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: apps-discuss-bounces@ietf.org
Errors-To: apps-discuss-bounces@ietf.org
On Wed, Sep 03, 2008 at 01:41:39PM -0700, Lisa Dusseault <lisa@osafoundation.org> wrote a message of 39 lines which said: > If you'd like to review it, please do. I was skeptical at the origin of this work because phishing mitigation is 50 % UI design and 50 % psychology, two domains where the IETF has no expertise or legitimacy (which does not prevent some people to use the fear of phishing for advancing their ideas, as we saw for the IDN protocol). But I find the draft quite good because it is modest, it stays in IETF waters, network protocols. I agree with the general idea (using new authentication protocols to reduce the incentive for phishing). A few remarks: Section 3, the sentence "As a consequence of this assumption, users will likely be fooled by strings either in website names or certificates that look visually similar but that are composed of different code points." should be deleted. It is exactly the sort of thing (psychology of users) that we should stay away from. Moreover, it does not reflect the reality of phishing: very few phishers take the trouble to fake the domain name (that's why the whole issue of phishing for IDN is a red herring). Most of the phishing Web sites have an unrelated domain name (smith.example.com) or even an IP address. The few that try to fake the domain name use tricks like a dash instead of a dot (secure-paypal.com) and do not rely on visual confusability. Section 4.5 says "Assuming that only certificates from trusted CAs are accepted". I would delete it too. One of the big problems with X.509 is precisely that there is never an informed decision by the user to trust or not a CA. The user typically blindly accepts what's in the browser list of CA, list which was compiled on many criteria, trust being only one of them. _______________________________________________ Apps-Discuss mailing list Apps-Discuss@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
- Request for review and consensus -- draft-hartman… Lisa Dusseault
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- Re: Request for review and consensus -- draft-har… Stephane Bortzmeyer