Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
pgut001@cs.auckland.ac.nz (Peter Gutmann) Thu, 04 September 2008 15:26 UTC
Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68F533A692F; Thu, 4 Sep 2008 08:26:35 -0700 (PDT)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 487303A6B18; Thu, 4 Sep 2008 08:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.527
X-Spam-Level:
X-Spam-Status: No, score=-4.527 tagged_above=-999 required=5 tests=[AWL=-0.927, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q+oQgg0j2eSF; Thu, 4 Sep 2008 08:26:33 -0700 (PDT)
Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by core3.amsl.com (Postfix) with ESMTP id 8D2A03A6BDD; Thu, 4 Sep 2008 08:26:22 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 769909CB42; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X1MTj5CId0G; Fri, 5 Sep 2008 03:26:12 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id D313C9CB31; Fri, 5 Sep 2008 03:26:11 +1200 (NZST)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id EA64DE0808A; Fri, 5 Sep 2008 03:26:10 +1200 (NZST)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1KbGio-00037B-Q7; Fri, 05 Sep 2008 03:26:10 +1200
From: pgut001@cs.auckland.ac.nz
To: discuss@ietf.org, ietf-http-wg@w3.org, lisa@osafoundation.org, saag@ietf.org, secdir@mit.edu
In-Reply-To: <47490048-25ED-403E-96B9-0D385F764292@osafoundation.org>
Message-Id: <E1KbGio-00037B-Q7@wintermute01.cs.auckland.ac.nz>
Date: Fri, 05 Sep 2008 03:26:10 +1200
Cc: ietf-http-auth@osafoundation.org
Subject: Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
Lisa Dusseault <lisa@osafoundation.org> writes: >You may have seen this draft a year ago; Sam is back working on it and >produced version -09 last month. > >http://tools.ietf.org/html/draft-hartman-webauth-phishing-09 > >[...] > >b) Whether the document should require mutual authentication (section 4.4). Yes, absolutely! The whole reason why phishing works is that the site is never authenticated, without mutual auth (and specifically strong mutual auth, e.g. some form of cryptographic challenge-response mechanism rather than the pretend-auth of "do you recognise this image?" that some US banks have adopted) you've not really achieving much. Peter. _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] Request for review and consensus -- draft-… Lisa Dusseault
- Re: [saag] Request for review and consensus -- dr… Peter Gutmann