[Ietf-http-auth] Please Review version 09 of draft-hartman-webauth-phishing

[Sam Hartman <hartmans-ietf@mit.edu>]

Dear Eric:

I believe I have responded to many of the issues you raised during the
last call of draft-hartman-webauth-phishing and think things are at a
point where it would be productive for you to review the document and
see what issues remain.  I've tried to include a change history but
let me summarize major points below.  Some of these changes (and the
document as a whole) require review for consensus.  Please see my next
message to Alexey on that point.

* Section 1.1 and section 1.2 have been added to the document in order
  to help clarify the purpose of the document.  Section 1.1 is text
  that would need to gain some level of consensus and then be included
  in an ietf-wide last call.  I've tried to make it clear that this
  document is not calling for new security mechanisms to be developed.
  You reviewed a previous version of section 1.1 that actually did end
  up focusing on developing authentication mechanisms; my apologies
  for that wording.  It was a result of how I'm thinking about the
  layers involved, and I believe meant something very different to me
  than to anyone else who read it.

As an aside, Microsoft has been looking at strengthening their HTTP
authentication for the enterprise.  They managed to find much simpler
solutions to extending existing mechanisms than I had suspected were
possible.  I never expected that developing new security mechanisms
would be desirable, but I thought that more work would be needed on
how existing mechanisms fit into HTTP than appears to be needed in
practice.  I still think there is some limited work to do within the
scope of the IETF, but much less than I thought when I started this
document.

* I've taken your suggestion of splitting the concept of passwords
  into plaintext password protocols and passwords as a user interface
  concept.  This  is described in section 2.1 and I think has been
  integrated throughout the rest of the document.

* Rephrased all the discussion of UI to make it clear that we have no
  confidence (and evidence against) the idea that the UI concepts will
  work.  I've specifically removed any language that implies that UI
  suggestions are exhaustive; that was never my intent.


* Significantly worked on the text of the threat model in order to improve clarity.

* Worked on the clarity of the requirements.  In a number of cases I
  had proposed requirements that seemed likely to be true of potential
  solutions and that were easier to analyze than the actual
  constraints.  I've tried to remove that and actually state the base
  requirements.

* I've added a discussion of the pwdhash class of mechanisms in the
  discussion of mutual authentication.  My position is that pwdhash is
  an improvement over what we have today.  However the phishing
  possibilities opened up by not doing mutual authentication are
  serious enough that we want to eventually end up with solutions that
  support mutual authentication.  We don't want to discourage
  deployment of pwdhash or similar mechanisms though.  I think this is
  an issue where we need to come to some level of consensus.


* I've strengthened the text that makes it clear that zero-knowledge
  mechanisms are non-starters for IPR reasons.  If you read text in
  the current version as implying that this document recommends going
  down the zero-knowledge path, please point it out so I can remove
  it.


* I've integrated references to the W3C security context work in this space.

There is one set of comments I have intentionally not addressed.  I
disagree with you that the references section of this document should
be a reasonable biography of the space.  I'm happy to include
references that enhance specific new or existing text, but am not
interested in a survey of the space.  I think this issue was discussed
enough during the last call and the IESG telechat that I feel
confident it has been reviewed by the  community.