IETF Logo Mail Archive

[Ietf-http-auth] Re: Request for review and consensus -- draft-hartman-webauth-phishing

Simon Josefsson <simon@josefsson.org> Mon, 08 September 2008 09:02 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id B0A1C80D54; Mon, 8 Sep 2008 02:02:42 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 51CA8142204; Mon, 8 Sep 2008 02:02:41 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -3.964
X-Spam-Level:
X-Spam-Status: No, score=-3.964 tagged_above=-50 required=4 tests=[AWL=-1.364, BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccfFTQjpUmB8; Mon, 8 Sep 2008 02:02:28 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id A1414142207; Mon, 8 Sep 2008 02:02:27 -0700 (PDT)
Received: from c80-216-18-41.bredband.comhem.se ([80.216.18.41] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1KccdH-0004l6-G7; Mon, 08 Sep 2008 11:02:08 +0200
X-Hashcash: 1:22:080908:hartmans-ietf@mit.edu::y/MleEpzxtAVlrbT:2aQp
X-Hashcash: 1:22:080908:ietf@ietf.org::g6OhuXSEiLIF94hf:E9nG
From: Simon Josefsson <simon@josefsson.org>
To: Lisa Dusseault <lisa@osafoundation.org>, Sam Hartman <hartmans-ietf@mit.edu>
References: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:080908:secdir@mit.edu::/perGNJNTkQe0NxE:2ADk
X-Hashcash: 1:22:080908:ietf-http-wg@w3.org::J2cHDa1uLzq2nLpR:2tGh
X-Hashcash: 1:22:080908:saag@ietf.org::VaLHew/wN489sVoL:9VxW
X-Hashcash: 1:22:080908:discuss@ietf.org::n/3Yixg1Wzepxooa:Fbnr
X-Hashcash: 1:22:080908:lisa@osafoundation.org::fl6r+j4eQsY9D/3J:83oC
X-Hashcash: 1:22:080908:ietf-http-auth@osafoundation.org::lhkVCFmAOA0Dr7EJ:EMce
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org> (Lisa Dusseault's message of "Wed, 3 Sep 2008 13:41:39 -0700")
Message-ID: <87k5dnyprr.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailman-Approved-At: Thu, 02 Oct 2008 16:30:22 -0700
Cc: ietf-http-auth@osafoundation.org, ietf@ietf.org
Subject: [Ietf-http-auth] Re: Request for review and consensus -- draft-hartman-webauth-phishing
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
Date: Mon, 08 Sep 2008 09:02:42 -0000
X-Original-Date: Mon, 08 Sep 2008 11:02:00 +0200
X-List-Received-Date: Mon, 08 Sep 2008 09:02:42 -0000

The document says that the intended status is 'Informational'.
Statements such as "IETF recommends", and normative words such as 'MUST'
as used as per RFC 2119, appears inconsistent with the intended use of
the 'Informational' status (RFC 2026 4.2.2):

   An "Informational" specification is published for the general
   information of the Internet community, and does not represent an
   Internet community consensus or recommendation.

Thus, I suggest that either

1) The intended status of the document is changed to
   Best-Current-Practice.

2) The normative words, references to RFC 2119, and statements regarding
   'IETF recommends' are removed.

I would prefer 1).

Thanks,
Simon

Lisa Dusseault <lisa@osafoundation.org> writes:

> You may have seen this draft a year ago; Sam is back working on it and
> produced version -09 last month.
>
> http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
>
> If you've reviewed it before, please take a look at the changes.  If
> you'd like to review it, please do.  I'm the shepherd for this draft,
> so comments can be sent to me, to Sam as author, to
> ietf-http-auth@osafoundation.org , or to the IETF general list as
> appropriate.
>
> In addition to getting general input, I'd like to get a sense of
> whether we have consensus on a couple things.
>
> a).  The statement including "IETF recommends", from section 1.1 of
> the draft:
>
>    "In publishing this memo, the IETF recommends making available
>    authentication mechanisms that meet the requirements outlined in
>    Section 4 in HTTP user agents including web browsers.  It is hoped
>    that these mechanisms will prove a useful step in fighting phishing.
>    However this memo does not restrict work either in the IETF or any
>    other organization.  In particular, new authentication efforts are
>    not bound to meet the requirements posed in this memo unless the
>    charter for those efforts chooses to make these binding
> requirements.
>    Less formally, the IETF presents this memo as an option to pursue
>    while acknowledging that there may be other promising paths both now
>    and in the future."
>
> b) Whether the document should require mutual authentication (section
> 4.4).
>
> Thanks,
> Lisa D.

v2.23.0 | Report a Bug | By Email