Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
SM <sm@resistor.net> Mon, 08 September 2008 23:45 UTC
Return-Path: <sm@resistor.net>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id 5974480D10 for <ietf-http-auth@osafoundation.org>; Mon, 8 Sep 2008 16:45:14 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 04A8214222A for <ietf-http-auth@osafoundation.org>; Mon, 8 Sep 2008 16:45:13 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -2.879
X-Spam-Level:
X-Spam-Status: No, score=-2.879 tagged_above=-50 required=4 tests=[AWL=-0.280, BAYES_00=-2.599]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R+DktL36Bfih for <ietf-http-auth@osafoundation.org>; Mon, 8 Sep 2008 16:45:02 -0700 (PDT)
Received: from ns1.qubic.net (ns1.qubic.net [208.69.177.116]) by laweleka.osafoundation.org (Postfix) with ESMTP id 405D5142224 for <ietf-http-auth@osafoundation.org>; Mon, 8 Sep 2008 16:45:02 -0700 (PDT)
Received: from subman.resistor.net ([10.0.0.1]) (authenticated bits=0) by ns1.qubic.net (8.14.3/8.14.3) with ESMTP id m88NiUpe008514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Sep 2008 16:44:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1220917480; x=1221003880; bh=JJdjqfn5GIGKSl+bzgaeOKYSv1WTRMDQWgd4 zZpzjQ0=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To: References:Mime-Version:Content-Type; b=m6aDc2pzLsyB30gkUF9IrRXLmN 1DyZ3fyOprNyAWdHBKsnKJ5viCSaXWaOtYwtq02loF0WTd327h/M1vjRyFfdgRYqAM8 jYqrgW0Hd9mTQKIANo9UfINzyNZQ/eliaTWIiyIJ6cFzLjEy/1UvfhULXiWTZcpR/91 /ueyXYZ7pXc=
DomainKey-Signature: a=rsa-sha1; s=mail; d=resistor.net; c=simple; q=dns; b=b+/jMFCp6n1c7s4vaggkV6G2xWZRo9F1qd0bjj3FV8uZesiLE6AiriC4QO9yBX9sO vfSqzF/5sZZNgDSEnel7Qo4lwpaymo/AJmch0x3CezVKkKFsMWna3W9O8LakCX/MR36 bk1XRwLQJ+Au4ioyTZeaw+xmrgmtZcPEOyB4r7w=
Message-Id: <6.2.5.6.2.20080908125602.02bb9ab8@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 08 Sep 2008 15:00:20 -0700
To: Sam Hartman <hartmans-ietf@mit.edu>
From: SM <sm@resistor.net>
Subject: Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
In-Reply-To: <tsltzcqxzjb.fsf@mit.edu>
References: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org> <6.2.5.6.2.20080908104107.02d68650@resistor.net> <tsltzcqxzjb.fsf@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: ietf-http-auth@osafoundation.org
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2008 23:45:14 -0000
Hi Sam,
At 11:28 08-09-2008, Sam Hartman wrote:
>Can I get you to focus on what we want the ietf consensus to be
>rather than on how to accomplish that?
Yes, we can. Most of us would agree that phishing is a problem and
something has to be done about it. As such, your I-D is a step in
the right direction. In Section 1, it is mentioned that:
"The requirements presented in this memo are intended to be useful to
browser designers, designers of other HTTP applications and designers
of future HTTP authentication mechanisms."
It may be difficult to gain IETF consensus on such requirements if
the document does not take into account ongoing work such as
draft-oiwa-http-mutualauth-03. By coming up with a set of
requirements at this stage, we may be constraining "other promising paths".
>I agree that we'll need to have a discussion of how to accomplish
>that. I think it is better to have a discussion of what we're
>accomplishing though.
The document describes a threat model, then gets in protocol and user
interface issues. What we are accomplishing is mixing the two sides
of the issue.
>Can I get you to ignore the intended status, review section 1.1 and
>the rest of the draft and comment on whether you think that would be a
>good position for the IETF to take on this issue, and if not, what
>position the IETF should take?
1. Does the work fall under the purview of the IETF?
2. Is the IETF in a position to solve the problem?
3. Is there interest within the IETF to work on a solution?
In my opinion, the IETF could tackle the protocol questions whereas
the user interface questions are better suited for the W3C. As we
are discussing about requirements, it may be better to get this done
through a Working Group effort. If the community believes that the
answers to the above questions are yes, then I would say "take on the
issue". Otherwise, we can settle for "the IETF takes no position".
Quoting a sentence from Section 3:
"We assume that users have limited motivation to combat phishing."
I beg to differ. That sounds like the users do not care about
phishing. Some users have the motivation but they don't know how to
do it. In a nutshell, we have failed in providing them with adequate
tools to detect phishing attempts.
>No, I believe this ID makes no normative statement about how a user
>interface should be constructed. It does make statements about what
>the protocol requires of the user interface at a very abstract
>level--well within what I've seen from other standards.
In Section 4.1:
"The web authentication solution MUST support the password user
interface and MUST be secure even when the password interface is
commonly used."
I don't see how we can set a requirement level for a password user
interface. What we can do is to provide "hooks" into the system so
as to interact with it through an API.
"A solution to these requirements MUST also support smart cards and
other authentication solutions."
Again, I don't see why smart cards is a MUST.
Regards,
-sm
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Chris Newman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Assumptions about user motivatio… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- [Ietf-http-auth] Re: Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Re: Request for review and conse… Simon Josefsson
- [Ietf-http-auth] [Peter Gutmann] Re: [saag] Reque… Sam Hartman
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- [Ietf-http-auth] Request for review and consensus… Lisa Dusseault