Re: Straw-man charter for http-bis

[Eliot Lear <lear@cisco.com>]

Henrik Nordstrom wrote:
> Just a reflection on the phishing problem.
>
> IMHO this is more of an UA and education problem, not so much a protocol
> problem even if having something more secure than Digest would be a good
> thing. But you should also be aware that making HTTP authentication
> stronger won't make any of the common forms of phishing much harder.
>   

I disagree in the strongest possible terms.  This *is* a problem we can 
solve technically.  It's just that no one has the will to do it and 
we've organized ourselves so that the work cannot be done in one place.  
If you had a component that was separate from your workstation, that had 
but a single function – authentication – we could write appropriate APIs 
and protocols to access that device such that you would never log in 
without using it.  The riskiest functions would be registration.  In 
that single area would I view this an education problem, but even there, 
if we came up with a standard way to legitimately register individuals 
we could probably make that problem much more solvable.

The problem is this:

    * Registration and authentication occur with the forms interface
      that W3C handles;
    * The APIs are owned in large part by Microsoft and IEEE (POSIX);
    * IETF owns the wire protocol
    * Smartcard design is done by numerous (ISO, IEEE, other)


But to not attempt to solve these problems is dereliction of duty to the 
community we as an organization are supposed to be serving.  The LEAST 
the IETF can do is put forth an authentication mechanism that solves the 
wire protocol problem.  It should jive with the other functions as they 
evolve and provide flexibility to the organizations in question to offer 
opaque communications so we can have better authentication mechanisms as 
time goes on.

It's just shameful.  And yes, I suppose I'm being a bit emotive, but we 
have GOT to get off the dime, and the ONLY work that does so in this 
space right now is Sam's draft and that of Leif Johannson.

> Then there is also the single-sign-on issue, but thats more of an
> implementation thing than protocol. Digest fits just as fine in
> single-sign-on models as the NTLM or Negotiate schemes widely deployed
> for the purpose today, but due to it being a different authentication
> mechanism than used for the desktop it's not used in that context.
>   

I disagree with you on this as well, but then the term "single sign-on" 
is so overloaded we really can't argue the point without debating the 
term first.  So I'll define it as only requiring one password to do 
whatever it is I want to do (what the DIX/WAE BoFs called "Eliot's Dad's 
Problem").

But I also think there's no use in me whining about the lack of this 
stuff, and so I suppose it's time to shut up and either write a draft 
that actually attempts to address Sam's concerns or build some code to 
match some existing drafts, and then we can see how far off we are.

Eliot