[Ietf-http-auth] Alignment of draft-hartman-webauth-phishing with W3C draft on user interface guidelines for usable authentication
Sam Hartman <hartmans-ietf@mit.edu> Wed, 13 August 2008 17:14 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: ietf-http-auth@lists.osafoundation.org
Delivered-To: ietf-http-auth@lists.osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id 4144280D49 for <ietf-http-auth@lists.osafoundation.org>; Wed, 13 Aug 2008 10:14:57 -0700 (PDT)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 6807114225C for <ietf-http-auth@lists.osafoundation.org>; Wed, 13 Aug 2008 10:14:56 -0700 (PDT)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -1.391
X-Spam-Level:
X-Spam-Status: No, score=-1.391 tagged_above=-50 required=4 tests=[AWL=0.612, BAYES_00=-2.599, SPF_SOFTFAIL=0.596]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AES9Wz1czsoj for <ietf-http-auth@lists.osafoundation.org>; Wed, 13 Aug 2008 10:14:49 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by laweleka.osafoundation.org (Postfix) with ESMTP id B6451142247 for <ietf-http-auth@lists.osafoundation.org>; Wed, 13 Aug 2008 10:14:49 -0700 (PDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 0639041EF; Wed, 13 Aug 2008 13:14:44 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf-http-auth@lists.osafoundation.org
Date: Wed, 13 Aug 2008 13:14:43 -0400
Message-ID: <tslhc9ohm64.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [Ietf-http-auth] Alignment of draft-hartman-webauth-phishing with W3C draft on user interface guidelines for usable authentication
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2008 17:14:57 -0000
As people here are probably aware, the W3C is last calling a draft on user interface guidelines for web security context. Please read http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ . It seems like a really good document. However I don't think it obsoletes draft-hartman-webauth-phishing. The W3 document is focused on helping users get the indications they need for TLS to be useful with today's authentication mechanisms. My draft is focused on requirements for authentication mechanisms that will reduce the impact of mistakes. If you believe that the W3C recommendations will be so good that people will never be spoofed with a user agent that implements them, then my draft is probably unnecessary. I don't think anyone--especially not the participants in the W3C security context working group--believes that. Instead, I believe we are all working on a layered approach to security, trying to increase the probability that when someone attempts to commit fraud, some mechanism somewhere will detect that with high enough confidence that the user agent can positively flag the situation. It is critical that we do not generate so many false positives that users lose confidence in fraud signals when they do happen. As such, I believe that new authentication mechanisms, security context usability improvements, reputation systems and lists of known frauds can all work together in improving web security. It turns out that my draft is reasonably aligned with the W3C draft: * They focus on creating situations where the user agent can raise a danger signal--interrupting the user's task and indicating that with high confidence something is risking the user's information. My draft tries to create situations where the same signal can be raised by the authentication mechanism. * The W3C draft recommends establishing trust in the UI via shared secrets. They note that these mechanisms have questionable effectiveness. I should note we're taking the same approach and continue my plan of accurately describing the limitations of this mechanism. * The W3C draft seems consistent with the idea that making security context relevant to the transaction that the user is actually performing may help. So, I propose to: * Add a discussion of how these technologies can work together to the front. * Add references from the discussion of trusted UI to the appropriate sections from the W3C draft. In addition I will continue my plan to: * Go through the document and clean up areas where the claims are stronger than is justified. * Address Eric's comments about why we exclude mechanisms like pwdhash. * Clean up and prepare for a discussion here and on the list. I made some improvements before Dublin but other work got in the way and I did not finish. I expect to get to a version I think is ready for discussion here within a couple of weeks.