Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
Chris Newman <Chris.Newman@Sun.COM> Sat, 20 September 2008 01:34 UTC
Return-Path: <Chris.Newman@Sun.COM>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id DA4A380D72 for <ietf-http-auth@osafoundation.org>; Fri, 19 Sep 2008 18:34:57 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 3C67A142224 for <ietf-http-auth@osafoundation.org>; Fri, 19 Sep 2008 18:34:56 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -4.239
X-Spam-Level:
X-Spam-Status: No, score=-4.239 tagged_above=-50 required=4 tests=[AWL=2.360, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WctK0oZw2d3V for <ietf-http-auth@osafoundation.org>; Fri, 19 Sep 2008 18:34:44 -0700 (PDT)
Received: from sca-es-mail-2.sun.com (sca-es-mail-2.Sun.COM [192.18.43.133]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 4A247142212 for <ietf-http-auth@osafoundation.org>; Fri, 19 Sep 2008 18:34:44 -0700 (PDT)
Received: from fe-sfbay-10.sun.com ([192.18.43.129]) by sca-es-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m8K1Yba5019482 for <ietf-http-auth@osafoundation.org>; Fri, 19 Sep 2008 18:34:45 -0700 (PDT)
Received: from conversion-daemon.fe-sfbay-10.sun.com by fe-sfbay-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0K7H00I0109HD100@fe-sfbay-10.sun.com> (original mail from Chris.Newman@Sun.COM) for ietf-http-auth@osafoundation.org; Fri, 19 Sep 2008 18:34:37 -0700 (PDT)
Received: from [10.1.110.5] ([129.150.20.203]) by fe-sfbay-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0K7H007OO0DMJ0B0@fe-sfbay-10.sun.com>; Fri, 19 Sep 2008 18:34:37 -0700 (PDT)
Date: Fri, 19 Sep 2008 18:34:34 -0700
From: Chris Newman <Chris.Newman@Sun.COM>
Subject: Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
In-reply-to: <ldvk5d9wcw1.fsf@cathode-dark-space.mit.edu>
Sender: Chris.Newman@Sun.COM
To: Tom Yu <tlyu@MIT.EDU>, SM <sm@resistor.net>
Message-id: <8171D4020B8E3BCB250EE3D0@446E7922C82D299DB29D899F>
MIME-version: 1.0
X-Mailer: Mulberry/4.0.8 (Mac OS X)
Content-type: text/plain; format="flowed"; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
References: <6.2.5.6.2.20080909153753.02f54d98@resistor.net> <ldvk5d9wcw1.fsf@cathode-dark-space.mit.edu>
Cc: ietf-http-auth@osafoundation.org, Sam Hartman <hartmans-ietf@MIT.EDU>
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Sep 2008 01:34:58 -0000
Well said! I'll add that I believe several IETF protocols are less successful than they could be due to our failure to consider and/or address the user interface constraints created by our protocols, and our failure to communicate advice that could be used to create better user interfaces. - Chris --On September 18, 2008 14:02:38 -0400 Tom Yu <tlyu@MIT.EDU> wrote: > SM <sm@resistor.net> writes: > >> At 09:01 09-09-2008, Tom Yu wrote: >>> "We assume that users wish to protect themselves, but are willing >>> to expend only limited effort to combat phishing; they will avoid >>> an interface if they find it too complicated. This can result in >>> the user preferring a simpler insecure interface to a more complex >>> but more secure one. Alternatively, a user more fully informed of >>> the risks may abandon any effort to access a service if the choice >>> is between using a complex, secure interface and using a simple >>> but known-to-be-insecure interface." >> >> That's a good summary of the problem from a user angle. It's a user >> interface design consideration. > > I have repeatedly heard, from various people in the IETF, statements > to the effect of "it's a user interface design consideration, so we > don't have to worry about it". Your statement above might not be an > expression of this sentiment, but I think the point is worth > addressing. > > The IETF should certainly care about user interface design, but in a > very particular way: the protocols that the IETF designs place > constraints on user interface designers, and these constraints can > drive user interface design in ways that dramatically affect the > security and quality of the end user experience. > > By their very nature, user interfaces involve the user interacting > with or interfacing with something. I will grant that presentation > details of a user interface, such as graphical layout, are not the > business of the IETF. Protocol design affects what information is > available to a user through a user interface. It also affects the > relationships among those pieces of information in terms of time, > space, and dependencies. > > For these reasons, I think that the IETF should pay careful attention > to how protocol design decisions affect user interface design. > _______________________________________________ > Ietf-http-auth mailing list > Ietf-http-auth@osafoundation.org > http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth >
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Chris Newman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Assumptions about user motivatio… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- [Ietf-http-auth] Re: Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Re: Request for review and conse… Simon Josefsson
- [Ietf-http-auth] [Peter Gutmann] Re: [saag] Reque… Sam Hartman
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- [Ietf-http-auth] Request for review and consensus… Lisa Dusseault