IETF Logo Mail Archive

Re: [dix] Re: [Ietf-http-auth] Notes on Web authenticationenhancements

Dick Hardt <dick@sxip.com> Tue, 11 July 2006 21:53 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0QB2-00030H-WB; Tue, 11 Jul 2006 17:53:57 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0QB1-0002yp-Kr for dix@ietf.org; Tue, 11 Jul 2006 17:53:55 -0400
Received: from marlin.sxip.com ([199.60.48.20] helo=mail1.sxip.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G0QB0-0001Jh-9o for dix@ietf.org; Tue, 11 Jul 2006 17:53:55 -0400
Received: from [132.219.26.110] (h1a6e-net84db.lab.risq.net [132.219.26.110] (may be forged)) (authenticated bits=0) by mail1.sxip.com (8.13.5/8.13.5) with ESMTP id k6BLrMYe080570 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT); Tue, 11 Jul 2006 14:53:52 -0700 (PDT) (envelope-from dick@sxip.com)
In-Reply-To: <198A730C2044DE4A96749D13E167AD37BD603F@MOU1WNEXMB04.vcorp.ad.vrsn.com>
References: <198A730C2044DE4A96749D13E167AD37BD603F@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <AE33D314-BCD0-4618-908C-BDBB6E7D4AC7@sxip.com>
Content-Transfer-Encoding: 7bit
From: Dick Hardt <dick@sxip.com>
Subject: Re: [dix] Re: [Ietf-http-auth] Notes on Web authenticationenhancements
Date: Tue, 11 Jul 2006 10:53:46 -0700
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
X-Mailer: Apple Mail (2.752.2)
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00, DATE_IN_PAST_03_06 autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on marlin.sxip.com
X-Scanned-By: MIMEDefang 2.54 on 199.60.48.141
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: Digital Identity Exchange <dix@ietf.org>, ietf-http-auth@lists.osafoundation.org, Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

On 7-Jul-06, at 1:06 PM, Hallam-Baker, Phillip wrote:

>
>> [mailto:ietf-http-auth-bounces@osafoundation.org] On Behalf
>
>> 1) Most sites are not targeted by phishers today, and
>> unlikely to be targeted in the future, so they should not be
>> forced to put in technology for resolving phishing.
>
> This is completely wrong.
>
> Every type of site is targetted by criminal schemes, blogs are  
> currently targets for spam and for dropping trojans onto user  
> machine via spyware.
>
> If I can get hold of a blogger's username and password I can  
> install a trojan dropper onto their site. Blogger has been infested  
> with hundreds of thousands of sites with music backgrounds provided  
> by spyware companies.
>
> There are already extensive attacks against search engines. If you  
> can see the searches someone has done recently you can quickly  
> build up a picture to use in an identity theft.

Just to clarify, phishers are spoofing Google and Blogger to steal  
credentials? If so, I stand corrected.

>
>> 2) Currently the user has NO trusted site or client and is
>> easily phished. Once the user has one trusted software
>> system, then that system can more easily determine the
>> identity of other sites. In other words, the user will not
>> have to build up the full assurance stack with each site, the
>> user can leverage something they already trust to assist in
>> making the trust decision.
>
> The problem is not a lack of trusted sites, it is a lack of sites  
> that are trustWORTHY.

Agreed. Semantics is not one of my stronger skills. :-)


_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email