[Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing

Lisa Dusseault <lisa@osafoundation.org> Wed, 03 September 2008 20:41 UTC

Return-Path: <lisa@osafoundation.org>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id D177C80D18 for <ietf-http-auth@osafoundation.org>; Wed, 3 Sep 2008 13:41:49 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 9945C142212 for <ietf-http-auth@osafoundation.org>; Wed, 3 Sep 2008 13:41:48 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -1.769
X-Spam-Level:
X-Spam-Status: No, score=-1.769 tagged_above=-50 required=4 tests=[AWL=0.037, BAYES_00=-2.599, RDNS_NONE=0.1, SPF_FAIL=0.693]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRmrd+r3USrU; Wed, 3 Sep 2008 13:41:38 -0700 (PDT)
Received: from [10.1.1.121] (unknown [157.22.41.236]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 16CC914220C; Wed, 3 Sep 2008 13:41:38 -0700 (PDT)
Message-Id: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
From: Lisa Dusseault <lisa@osafoundation.org>
To: HTTP Working Group <ietf-http-wg@w3.org>, secdir@mit.edu, saag@ietf.org, Apps Discuss <discuss@ietf.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Date: Wed, 03 Sep 2008 13:41:39 -0700
X-Mailer: Apple Mail (2.928.1)
Cc: ietf-http-auth@osafoundation.org
Subject: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2008 20:41:49 -0000

You may have seen this draft a year ago; Sam is back working on it and  
produced version -09 last month.

http://tools.ietf.org/html/draft-hartman-webauth-phishing-09

If you've reviewed it before, please take a look at the changes.  If  
you'd like to review it, please do.  I'm the shepherd for this draft,  
so comments can be sent to me, to Sam as author, to ietf-http-auth@osafoundation.org 
, or to the IETF general list as appropriate.

In addition to getting general input, I'd like to get a sense of  
whether we have consensus on a couple things.

a).  The statement including "IETF recommends", from section 1.1 of  
the draft:

    "In publishing this memo, the IETF recommends making available
    authentication mechanisms that meet the requirements outlined in
    Section 4 in HTTP user agents including web browsers.  It is hoped
    that these mechanisms will prove a useful step in fighting phishing.
    However this memo does not restrict work either in the IETF or any
    other organization.  In particular, new authentication efforts are
    not bound to meet the requirements posed in this memo unless the
    charter for those efforts chooses to make these binding  
requirements.
    Less formally, the IETF presents this memo as an option to pursue
    while acknowledging that there may be other promising paths both now
    and in the future."

b) Whether the document should require mutual authentication (section  
4.4).

Thanks,
Lisa D.