IETF Logo Mail Archive

Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

Sam Hartman <hartmans-ietf@mit.edu> Thu, 06 July 2006 19:55 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyZx4-00019H-82; Thu, 06 Jul 2006 15:55:54 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyZx2-000198-Rf for dix@ietf.org; Thu, 06 Jul 2006 15:55:52 -0400
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178] helo=carter-zimmerman.mit.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FyZx1-0006Vc-In for dix@ietf.org; Thu, 06 Jul 2006 15:55:52 -0400
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id F2477E007A; Thu, 6 Jul 2006 15:56:11 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Digital Identity Exchange <dix@ietf.org>
Subject: Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
References: <20060619220742.40B85222427@laser.networkresonance.com> <2EFA8C54-9BF9-41CA-ABD0-D6286601A5B1@sxip.com> <868xnnfarh.fsf@raman.networkresonance.com> <528CC6D5-3549-438F-88AE-61D610B9D92F@sxip.com> <1b587cab0606240923sd7f435ds7fbf1aeecf2b304f@mail.google.com> <E2067EC0-B18E-433B-940C-BE30463396AA@sxip.com>
Date: Thu, 06 Jul 2006 15:56:11 -0400
In-Reply-To: <E2067EC0-B18E-433B-940C-BE30463396AA@sxip.com> (Dick Hardt's message of "Sat, 24 Jun 2006 09:27:52 -0700")
Message-ID: <tslac7ma4o4.fsf@cz.mit.edu>
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Cc: ietf-http-auth@lists.osafoundation.org
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

>>>>> "Dick" == Dick Hardt <dick@sxip.com> writes:

    Dick> Agreed. My point is that it is much easier to solve it in
    Dick> one place then on all sites. The IdP can become a
    Dick> combination of client side and server side code to deal much
    Dick> more effectively with the phishing issue. It is unreasonable
    Dick> for every site to do that.



I'm missing something here.  Long term, it seems like all the clients
are going to need to change so that they can interact with the new
IDPs.  Long term, the servers are definitely going to need to change
so they can accept information from the IDPs.  I don't see why it is
unreasonable to solve this on all sites long-term.  In fact, I believe
we're going to have to in order to deal with my requirement 4.4
(mutual authentication).  And yes, I think that requirement is really
important because without it, you don't have assurance that you aren't
giving personal information to the wrong party--you don't have
assurance that you aren't being phished.


I think the question we should be asking in this space is whether
there is something we can do in short-to-medium term that has
acceptable intermediate security.  A quetion you're presumably
interested in is whether DIX or something close to it would be such a
something.


I don't know what my answer to that question is.  I hope to have
decided by the end of the BOF.


_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.8.7 | Report a Bug | By Email