RE: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt)

"Hallam-Baker, Phillip" <pbaker@verisign.com> Mon, 10 September 2007 15:47 UTC

Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUlU6-00076o-N2; Mon, 10 Sep 2007 11:47:34 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1IUYQH-0004Md-J6 for discuss-confirm+ok@megatron.ietf.org; Sun, 09 Sep 2007 21:50:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUYQH-0004Lg-95 for discuss@apps.ietf.org; Sun, 09 Sep 2007 21:50:45 -0400
Received: from robin.verisign.com ([65.205.251.75]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUYQG-0004yT-0D for discuss@apps.ietf.org; Sun, 09 Sep 2007 21:50:45 -0400
Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by robin.verisign.com (8.12.11/8.13.4) with ESMTP id l8A1nDiV004852; Sun, 9 Sep 2007 18:49:13 -0700
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Sep 2007 18:50:39 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt)
Date: Sun, 9 Sep 2007 18:47:58 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37013EDBE0@MOU1WNEXMB04.vcorp.ad.vrsn.com>
In-Reply-To: <8B056441-7E57-46D4-9A2C-5BF7DE0297BF@muada.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt)
Thread-Index: AcfzKj6eDFp6Aj4DQNKi/PQmpOaVfQAIVdHQ
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: "Iljitsch van Beijnum" <iljitsch@muada.com>, "Alexey Melnikov" <alexey.melnikov@isode.com>
X-OriginalArrivalTime: 10 Sep 2007 01:50:39.0347 (UTC) FILETIME=[FD24F430:01C7F34C]
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
X-Mailman-Approved-At: Mon, 10 Sep 2007 11:47:32 -0400
Cc: ietf-http-auth@osafoundation.org, discuss@apps.ietf.org, ietf-http-wg@w3.org, ietf@ietf.org, saag@mit.edu
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org

> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com] 

> During the reading of this document, it occurred to me that 
> HTTP digest authentication (RFC 2617) rather than the widely 
> used practice of having security credentials be typed into an 
> HTTP form would achieve 90% of the requirements all by 
> itself. 

Well maybe if people had listened to me then :-)

But at this point fifteen years later Digest is not the way to go. First Digest was designed under the express constraint of avoiding patent encumberances. RSA and D-H were both off the table at the time.

If I was to redo Digest today or expand its scope I would do it differently. The main reason I would not is that SAML and WS-* both provide an excellent solution. I very much like and support the Cardspace idea of building into the O/S platform. I very much like the OpenID concept of making the barrier to entry very low. I would like to arrive at a happy combination of the existing proposals not see more proposals put on the table at this point.