Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
pgut001@cs.auckland.ac.nz (Peter Gutmann) Thu, 04 September 2008 15:53 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9836B3A6BFD for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Thu, 4 Sep 2008 08:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wSDjuKsmlbmo for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Thu, 4 Sep 2008 08:53:19 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id A83F43A6943 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 4 Sep 2008 08:53:19 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.63) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1KbH82-0007PT-BK for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Sep 2008 15:52:14 +0000
Received: from [128.30.52.63] (helo=bart.w3.org) by frink.w3.org with esmtp (Exim 4.63) (envelope-from <ylafon@w3.org>) id 1KbH7v-0007Nc-U7 for ietf-http-wg@listhub.w3.org; Thu, 04 Sep 2008 15:52:07 +0000
Received: from homer.w3.org ([128.30.52.30]) by bart.w3.org with esmtp (Exim 4.63) (envelope-from <ylafon@w3.org>) id 1KbH7v-0003Iu-Si for ietf-http-wg@w3.org; Thu, 04 Sep 2008 11:52:07 -0400
Received: by homer.w3.org (Postfix, from userid 12961) id D3A744F32B; Thu, 4 Sep 2008 11:51:42 -0400 (EDT)
X-Return-Path: <listmaster@w3.org>
X-Delivered-To: ylafon@homer.w3.org
X-Received: from bart.w3.org (unknown [128.30.52.63]) by homer.w3.org (Postfix) with ESMTP id 4D4154F32B for <ylafon@homer.w3.org>; Thu, 4 Sep 2008 11:27:41 -0400 (EDT)
X-Received: from frink.w3.org ([128.30.52.56]) by bart.w3.org with esmtp (Exim 4.63) (envelope-from <listmaster@w3.org>) id 1KbGkH-0008G4-8r for ylafon@w3.org; Thu, 04 Sep 2008 11:27:41 -0400
X-Received: from lists by frink.w3.org with local (Exim 4.63) (envelope-from <listmaster@w3.org>) id 1KbGjs-000154-4u for ylafon@w3.org; Thu, 04 Sep 2008 15:27:16 +0000
X-From_: pgut001@cs.auckland.ac.nz Thu Sep 04 15:27:11 2008
X-Received: from maggie.w3.org ([193.51.208.68]) by frink.w3.org with esmtp (Exim 4.63) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1KbGjn-0000zw-MW for ietf-http-wg@listhub.w3.org; Thu, 04 Sep 2008 15:27:11 +0000
X-Received: from curly.its.auckland.ac.nz ([130.216.12.33] helo=mailhost.auckland.ac.nz) by maggie.w3.org with esmtp (Exim 4.63) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1KbGjd-0006aY-Eu for ietf-http-wg@w3.org; Thu, 04 Sep 2008 15:27:11 +0000
X-Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 769909CB42; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
X-Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X1MTj5CId0G; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
X-Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id D313C9CB31; Fri, 5 Sep 2008 03:26:11 +1200 (NZST)
X-Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id EA64DE0808A; Fri, 5 Sep 2008 03:26:10 +1200 (NZST)
X-Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1KbGio-00037B-Q7; Fri, 05 Sep 2008 03:26:10 +1200
From: pgut001@cs.auckland.ac.nz
To: discuss@ietf.org, ietf-http-wg@w3.org, lisa@osafoundation.org, saag@ietf.org, secdir@mit.edu
Cc: ietf-http-auth@osafoundation.org
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
Message-Id: <E1KbGio-00037B-Q7@wintermute01.cs.auckland.ac.nz>
Old-Date: Fri, 05 Sep 2008 03:26:10 +1200
Received-SPF: none
X-SPF-Guess: neutral
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1
X-W3C-Scan-Sig: maggie.w3.org 1KbGjd-0006aY-Eu e4d8333d0ab4a18c1d2e9df07d318acc
Old-X-Envelope-To: ietf-http-wg
Date: Thu, 04 Sep 2008 15:27:16 +0000
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Thu Sep 4 11:27:41 2008
X-DSPAM-Confidence: 0.9967
X-DSPAM-Improbability: 1 in 29798 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 48bffe6d218271887420422
ReSent-Date: Thu, 04 Sep 2008 11:51:40 -0400
ReSent-From: Yves Lafon <ylafon@w3.org>
ReSent-To: ietf-http-wg@w3.org
ReSent-Subject: [Moderator Action] Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
Archived-At: <http://www.w3.org/mid/E1KbGio-00037B-Q7@wintermute01.cs.auckland.ac.nz>
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/5264
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1KbH82-0007PT-BK@frink.w3.org>
Lisa Dusseault <lisa@osafoundation.org> writes: >You may have seen this draft a year ago; Sam is back working on it and >produced version -09 last month. > >http://tools.ietf.org/html/draft-hartman-webauth-phishing-09 > >[...] > >b) Whether the document should require mutual authentication (section 4.4). Yes, absolutely! The whole reason why phishing works is that the site is never authenticated, without mutual auth (and specifically strong mutual auth, e.g. some form of cryptographic challenge-response mechanism rather than the pretend-auth of "do you recognise this image?" that some US banks have adopted) you've not really achieving much. Peter.
- Request for review and consensus -- draft-hartman… Lisa Dusseault
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- Re: Request for review and consensus -- draft-har… Stephane Bortzmeyer