IETF Logo Mail Archive

Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing

pgut001@cs.auckland.ac.nz (Peter Gutmann) Thu, 04 September 2008 15:27 UTC

Return-Path: <saag-bounces@ietf.org>
Received: from localhost ([unix socket]) by mail.suchdamage.org (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA; Thu, 04 Sep 2008 11:27:27 -0400
X-Sieve: CMU Sieve 2.2
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by mail.suchdamage.org (Postfix) with ESMTP id BB39B4095 for <hartmans@suchdamage.org>; Thu, 4 Sep 2008 11:27:23 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id m84FRMBA006330 for <hartmans@suchdamage.org>; Thu, 4 Sep 2008 11:27:22 -0400 (EDT)
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m84FR9OM015021 for <hartmans@mit.edu>; Thu, 4 Sep 2008 11:27:09 -0400 (EDT)
Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by mit.edu (Spam Firewall) with ESMTP id 7FF48FC297D; Thu, 4 Sep 2008 11:26:44 -0400 (EDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F6E23A6885; Thu, 4 Sep 2008 08:26:35 -0700 (PDT)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 487303A6B18; Thu, 4 Sep 2008 08:26:34 -0700 (PDT)
X-Spam-Flag: NO
X-Spam-Score: 0.12
X-Spam-Status: No, score=-4.527 tagged_above=-999 required=5 tests=[AWL=-0.927, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q+oQgg0j2eSF; Thu, 4 Sep 2008 08:26:33 -0700 (PDT)
Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by core3.amsl.com (Postfix) with ESMTP id 8D2A03A6BDD; Thu, 4 Sep 2008 08:26:22 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 769909CB42; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X1MTj5CId0G; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id D313C9CB31; Fri, 5 Sep 2008 03:26:11 +1200 (NZST)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id EA64DE0808A; Fri, 5 Sep 2008 03:26:10 +1200 (NZST)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1KbGio-00037B-Q7; Fri, 05 Sep 2008 03:26:10 +1200
From: pgut001@cs.auckland.ac.nz
To: discuss@ietf.org, ietf-http-wg@w3.org, lisa@osafoundation.org, saag@ietf.org, secdir@mit.edu
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
Message-Id: <E1KbGio-00037B-Q7@wintermute01.cs.auckland.ac.nz>
Date: Fri, 05 Sep 2008 03:26:10 +1200
Cc: ietf-http-auth@osafoundation.org
Subject: Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
X-Scanned-By: MIMEDefang 2.42
X-DSPAM-Result: Whitelisted
X-DSPAM-Processed: Thu Sep 4 11:27:27 2008
X-DSPAM-Confidence: 0.9992
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 48bffe5f94201961128868
X-DSPAM-Factors: 27, From*pgut001@cs.auckland.ac.nz (Peter Gutmann), 0.00010, org>+writes, 0.00013, Dusseault, 0.00014, Lisa+Dusseault, 0.00015, Received*[127.0.0.1]+(localhost, 0.00018, document+should, 0.00023, list+saag, 0.00047, _______________________________________________+saag, 0.00047, List-Help*<mailto+saag, 0.00062, osafoundation, 0.00062, Sender*saag, 0.00062, List-Help*saag+request, 0.00062, List-Post*saag, 0.00062, Errors-To*saag+bounces, 0.00062, Errors-To*saag, 0.00062, Sender*saag+bounces, 0.00062, List-Help*saag, 0.00062, List-Post*<mailto+saag, 0.00062, mutual+authentication, 0.00070, In-Reply-To*osafoundation.org>, 0.00082, To*secdir+mit.edu, 0.00090, osafoundation+org>, 0.00099, To*ietf.org+secdir, 0.00099, <lisa+osafoundation, 0.00099, <lisa, 0.00099, Dusseault+<lisa, 0.00099, Subject*Request+for, 0.00111
MIME-Version: 1.0

Lisa Dusseault <lisa@osafoundation.org> writes:

>You may have seen this draft a year ago; Sam is back working on it and
>produced version -09 last month.
>
>http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
>
>[...]
>
>b) Whether the document should require mutual authentication (section 4.4).

Yes, absolutely!  The whole reason why phishing works is that the site is
never authenticated, without mutual auth (and specifically strong mutual auth,
e.g. some form of cryptographic challenge-response mechanism rather than the
pretend-auth of "do you recognise this image?" that some US banks have
adopted) you've not really achieving much.

Peter.
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email