Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
pgut001@cs.auckland.ac.nz (Peter Gutmann) Sat, 06 September 2008 13:48 UTC
Return-Path: <apps-discuss-bounces@ietf.org>
X-Original-To: apps-discuss-archive@ietf.org
Delivered-To: ietfarch-apps-discuss-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 546993A697A; Sat, 6 Sep 2008 06:48:14 -0700 (PDT)
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 487303A6B18; Thu, 4 Sep 2008 08:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.527
X-Spam-Level:
X-Spam-Status: No, score=-4.527 tagged_above=-999 required=5 tests=[AWL=-0.927, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q+oQgg0j2eSF; Thu, 4 Sep 2008 08:26:33 -0700 (PDT)
Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by core3.amsl.com (Postfix) with ESMTP id 8D2A03A6BDD; Thu, 4 Sep 2008 08:26:22 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 769909CB42; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X1MTj5CId0G; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id D313C9CB31; Fri, 5 Sep 2008 03:26:11 +1200 (NZST)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id EA64DE0808A; Fri, 5 Sep 2008 03:26:10 +1200 (NZST)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1KbGio-00037B-Q7; Fri, 05 Sep 2008 03:26:10 +1200
From: pgut001@cs.auckland.ac.nz
To: discuss@ietf.org, ietf-http-wg@w3.org, lisa@osafoundation.org, saag@ietf.org, secdir@mit.edu
Subject: Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
Message-Id: <E1KbGio-00037B-Q7@wintermute01.cs.auckland.ac.nz>
Date: Fri, 05 Sep 2008 03:26:10 +1200
X-Mailman-Approved-At: Sat, 06 Sep 2008 06:48:13 -0700
Cc: ietf-http-auth@osafoundation.org
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: apps-discuss-bounces@ietf.org
Errors-To: apps-discuss-bounces@ietf.org
Lisa Dusseault <lisa@osafoundation.org> writes: >You may have seen this draft a year ago; Sam is back working on it and >produced version -09 last month. > >http://tools.ietf.org/html/draft-hartman-webauth-phishing-09 > >[...] > >b) Whether the document should require mutual authentication (section 4.4). Yes, absolutely! The whole reason why phishing works is that the site is never authenticated, without mutual auth (and specifically strong mutual auth, e.g. some form of cryptographic challenge-response mechanism rather than the pretend-auth of "do you recognise this image?" that some US banks have adopted) you've not really achieving much. Peter. _______________________________________________ Apps-Discuss mailing list Apps-Discuss@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss
- Request for review and consensus -- draft-hartman… Lisa Dusseault
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- Re: Request for review and consensus -- draft-har… Stephane Bortzmeyer