Re: Request for review and consensus -- draft-hartman-webauth-phishing
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 11 September 2008 13:37 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 643F73A69C8 for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Thu, 11 Sep 2008 06:37:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.845
X-Spam-Level:
X-Spam-Status: No, score=-6.845 tagged_above=-999 required=5 tests=[AWL=1.617, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8, URIBL_PH_SURBL=1.787]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7+O4CuSi4nI for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Thu, 11 Sep 2008 06:37:10 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id 6F21F3A6910 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 11 Sep 2008 06:37:10 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.63) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1KdmLC-0004OR-JU for ietf-http-wg-dist@listhub.w3.org; Thu, 11 Sep 2008 13:36:10 +0000
Received: from maggie.w3.org ([193.51.208.68]) by frink.w3.org with esmtp (Exim 4.63) (envelope-from <bortzmeyer@nic.fr>) id 1KdmL3-0004Nj-IA for ietf-http-wg@listhub.w3.org; Thu, 11 Sep 2008 13:36:01 +0000
Received: from mx2.nic.fr ([192.134.4.11]) by maggie.w3.org with esmtp (Exim 4.63) (envelope-from <bortzmeyer@nic.fr>) id 1KdmKu-0003ny-TG for ietf-http-wg@w3.org; Thu, 11 Sep 2008 13:36:01 +0000
Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 0C1501C0172; Thu, 11 Sep 2008 15:35:27 +0200 (CEST)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 0676C1C016C; Thu, 11 Sep 2008 15:35:27 +0200 (CEST)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 0437C6C0674; Thu, 11 Sep 2008 15:35:27 +0200 (CEST)
Date: Thu, 11 Sep 2008 15:35:27 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Lisa Dusseault <lisa@osafoundation.org>, HTTP Working Group <ietf-http-wg@w3.org>, Apps Discuss <discuss@ietf.org>
Message-ID: <20080911133527.GA13697@nic.fr>
References: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
X-Operating-System: Debian GNU/Linux lenny/sid
X-Kernel: Linux 2.6.24-1-686 i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.18 (2008-05-17)
Received-SPF: none
X-SPF-Guess: pass
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, URIBL_PH_SURBL=3
X-W3C-Scan-Sig: maggie.w3.org 1KdmKu-0003ny-TG e6d4985fa0e3ada3f324504d745e0520
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Request for review and consensus -- draft-hartman-webauth-phishing
Archived-At: <http://www.w3.org/mid/20080911133527.GA13697@nic.fr>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/5282
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1KdmLC-0004OR-JU@frink.w3.org>
Resent-Date: Thu, 11 Sep 2008 13:36:10 +0000
On Wed, Sep 03, 2008 at 01:41:39PM -0700, Lisa Dusseault <lisa@osafoundation.org> wrote a message of 39 lines which said: > If you'd like to review it, please do. I was skeptical at the origin of this work because phishing mitigation is 50 % UI design and 50 % psychology, two domains where the IETF has no expertise or legitimacy (which does not prevent some people to use the fear of phishing for advancing their ideas, as we saw for the IDN protocol). But I find the draft quite good because it is modest, it stays in IETF waters, network protocols. I agree with the general idea (using new authentication protocols to reduce the incentive for phishing). A few remarks: Section 3, the sentence "As a consequence of this assumption, users will likely be fooled by strings either in website names or certificates that look visually similar but that are composed of different code points." should be deleted. It is exactly the sort of thing (psychology of users) that we should stay away from. Moreover, it does not reflect the reality of phishing: very few phishers take the trouble to fake the domain name (that's why the whole issue of phishing for IDN is a red herring). Most of the phishing Web sites have an unrelated domain name (smith.example.com) or even an IP address. The few that try to fake the domain name use tricks like a dash instead of a dot (secure-paypal.com) and do not rely on visual confusability. Section 4.5 says "Assuming that only certificates from trusted CAs are accepted". I would delete it too. One of the big problems with X.509 is precisely that there is never an informed decision by the user to trust or not a CA. The user typically blindly accepts what's in the browser list of CA, list which was compiled on many criteria, trust being only one of them.
- Request for review and consensus -- draft-hartman… Lisa Dusseault
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann
- Re: Request for review and consensus -- draft-har… Stephane Bortzmeyer