Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
Sam Hartman <hartmans-ietf@mit.edu> Tue, 09 September 2008 13:05 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id 33BCC80D66 for <ietf-http-auth@osafoundation.org>; Tue, 9 Sep 2008 06:05:43 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id C911D14222B for <ietf-http-auth@osafoundation.org>; Tue, 9 Sep 2008 06:05:41 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -1.42
X-Spam-Level:
X-Spam-Status: No, score=-1.42 tagged_above=-50 required=4 tests=[AWL=0.583, BAYES_00=-2.599, SPF_SOFTFAIL=0.596]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YhNGo3KGy+4s for <ietf-http-auth@osafoundation.org>; Tue, 9 Sep 2008 06:05:31 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by laweleka.osafoundation.org (Postfix) with ESMTP id 43C0114222A for <ietf-http-auth@osafoundation.org>; Tue, 9 Sep 2008 06:05:31 -0700 (PDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id EC74F4116; Tue, 9 Sep 2008 09:05:27 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: SM <sm@resistor.net>
Subject: Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
References: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org> <6.2.5.6.2.20080908104107.02d68650@resistor.net> <tsltzcqxzjb.fsf@mit.edu> <6.2.5.6.2.20080908125602.02bb9ab8@resistor.net>
Date: Tue, 09 Sep 2008 09:05:27 -0400
In-Reply-To: <6.2.5.6.2.20080908125602.02bb9ab8@resistor.net> (sm@resistor.net's message of "Mon, 08 Sep 2008 15:00:20 -0700")
Message-ID: <tsl8wu1tqp4.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: ietf-http-auth@osafoundation.org
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2008 13:05:43 -0000
>>>>> "SM" == SM <sm@resistor.net> writes: SM> Hi Sam, SM> It may be difficult to gain IETF consensus on such SM> requirements if the document does not take into account SM> ongoing work such as draft-oiwa-http-mutualauth-03. I'm familiar with that work. I just reviewed that draft again; it definitely seems like that protocol could be deployed in a manner that is consistent with these requirements. SM> By coming SM> up with a set of requirements at this stage, we may be SM> constraining "other promising paths". One of my goals in section 1.1 was to avoid doing that. Assuming the IETF had consensus behind the text in section 1.1, how would these requirements constrain other paths? (as an aside, I personally believe that these would be great requirements for draft-oiwa-http-mutualauth-03: they would be easy to meet and I believe would if not already met improve the protocol.) SM> whereas the user interface questions are better suited for the SM> W3C. I do agree that specifics of UI should be handled through the W3C. I think that details that affect the security of the protocol, such as requiring that the UI distinguish (in some manner) password fields that will be sent over the net using basic from those that will be sent using some secure protocol are within the IETF's scope. SM> Quoting a sentence from Section 3: SM> "We assume that users have limited motivation to combat SM> phishing." Would you be happier with "We assume that users are interested in combatting phishing, but cannot be expected to learn the details of security protocols, certification practices, and the like." The goal of the existing sentence is to make it clear that asking use.users to understand Unicode encoding issues, understand detailed information about what is validated in a certificate etc, is not appropriate.
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Chris Newman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Assumptions about user motivatio… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- [Ietf-http-auth] Re: Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Re: Request for review and conse… Simon Josefsson
- [Ietf-http-auth] [Peter Gutmann] Re: [saag] Reque… Sam Hartman
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- [Ietf-http-auth] Request for review and consensus… Lisa Dusseault