Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
Tom Yu <tlyu@MIT.EDU> Thu, 18 September 2008 18:02 UTC
Return-Path: <tlyu@MIT.EDU>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id F3ABC80D62 for <ietf-http-auth@osafoundation.org>; Thu, 18 Sep 2008 11:02:56 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 5EEE5142229 for <ietf-http-auth@osafoundation.org>; Thu, 18 Sep 2008 11:02:55 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -3.936
X-Spam-Level:
X-Spam-Status: No, score=-3.936 tagged_above=-50 required=4 tests=[AWL=2.664, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SPF_PASS=-0.001]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xto+FMQkXA6 for <ietf-http-auth@osafoundation.org>; Thu, 18 Sep 2008 11:02:46 -0700 (PDT)
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 916E9142212 for <ietf-http-auth@osafoundation.org>; Thu, 18 Sep 2008 11:02:41 -0700 (PDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m8II2etZ012512; Thu, 18 Sep 2008 14:02:40 -0400 (EDT)
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m8II2d1U001162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 18 Sep 2008 14:02:39 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id m8II2cWS013022; Thu, 18 Sep 2008 14:02:38 -0400 (EDT)
To: SM <sm@resistor.net>
Subject: Re: [Ietf-http-auth] Request for review and consensus -- draft-hartman-webauth-phishing
References: <6.2.5.6.2.20080909153753.02f54d98@resistor.net>
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 18 Sep 2008 14:02:38 -0400
In-Reply-To: <6.2.5.6.2.20080909153753.02f54d98@resistor.net> (sm@resistor.net's message of "Tue, 09 Sep 2008 17:20:46 -0700")
Message-ID: <ldvk5d9wcw1.fsf@cathode-dark-space.mit.edu>
Lines: 37
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.42
Cc: ietf-http-auth@osafoundation.org, Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2008 18:02:57 -0000
SM <sm@resistor.net> writes: > At 09:01 09-09-2008, Tom Yu wrote: >> "We assume that users wish to protect themselves, but are willing >> to expend only limited effort to combat phishing; they will avoid >> an interface if they find it too complicated. This can result in >> the user preferring a simpler insecure interface to a more complex >> but more secure one. Alternatively, a user more fully informed of >> the risks may abandon any effort to access a service if the choice >> is between using a complex, secure interface and using a simple >> but known-to-be-insecure interface." > > That's a good summary of the problem from a user angle. It's a user > interface design consideration. I have repeatedly heard, from various people in the IETF, statements to the effect of "it's a user interface design consideration, so we don't have to worry about it". Your statement above might not be an expression of this sentiment, but I think the point is worth addressing. The IETF should certainly care about user interface design, but in a very particular way: the protocols that the IETF designs place constraints on user interface designers, and these constraints can drive user interface design in ways that dramatically affect the security and quality of the end user experience. By their very nature, user interfaces involve the user interacting with or interfacing with something. I will grant that presentation details of a user interface, such as graphical layout, are not the business of the IETF. Protocol design affects what information is available to a user through a user interface. It also affects the relationships among those pieces of information in terms of time, space, and dependencies. For these reasons, I think that the IETF should pay careful attention to how protocol design decisions affect user interface design.
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Chris Newman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Assumptions about user motivatio… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… Tom Yu
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- [Ietf-http-auth] Re: Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- Re: [Ietf-http-auth] Request for review and conse… Sam Hartman
- Re: [Ietf-http-auth] Request for review and conse… SM
- [Ietf-http-auth] Re: Request for review and conse… Simon Josefsson
- [Ietf-http-auth] [Peter Gutmann] Re: [saag] Reque… Sam Hartman
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- [Ietf-http-auth] Request for review and consensus… Lisa Dusseault