[secdir] secdir review of draft-hartman-webauth-phishing-09.txt
"Carl Wallace" <CWallace@cygnacom.com> Fri, 24 October 2008 15:23 UTC
Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD8753A6BB2; Fri, 24 Oct 2008 08:23:12 -0700 (PDT)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDC523A6BAE for <secdir@core3.amsl.com>; Fri, 24 Oct 2008 08:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.878
X-Spam-Level:
X-Spam-Status: No, score=-3.878 tagged_above=-999 required=5 tests=[AWL=2.721, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bxTih2cboFk for <secdir@core3.amsl.com>; Fri, 24 Oct 2008 08:23:10 -0700 (PDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 81F7B3A6BAC for <secdir@ietf.org>; Fri, 24 Oct 2008 08:23:10 -0700 (PDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m9OFOVHC004395 for <secdir@ietf.org>; Fri, 24 Oct 2008 11:24:31 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m9OFOMJu004350 for <secdir@PCH.mit.edu>; Fri, 24 Oct 2008 11:24:22 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id m9OFOFQB015660 for <secdir@mit.edu>; Fri, 24 Oct 2008 11:24:16 -0400 (EDT)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by mit.edu (Spam Firewall) with SMTP id E7DB410BA643 for <secdir@mit.edu>; Fri, 24 Oct 2008 11:23:54 -0400 (EDT)
Received: (qmail 7091 invoked from network); 24 Oct 2008 15:10:19 -0000
Received: from CWallace@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 24 Oct 2008 15:10:19 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 24 Oct 2008 15:10:19 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 24 Oct 2008 11:23:53 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D487A494F@scygexch1.cygnacom.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-hartman-webauth-phishing-09.txt
Thread-Index: Ack17IYf+e9KSQgJRbS96wW0EVTM6g==
From: Carl Wallace <CWallace@cygnacom.com>
To: hartmans-ietf@mit.edu, secdir@mit.edu, iesg@ietf.org, alexey.melnikov@isode.com
X-Scanned-By: MIMEDefang 2.42
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id m9OFOMJu004350
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Subject: [secdir] secdir review of draft-hartman-webauth-phishing-09.txt
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This abstract of this draft indicates it "proposes requirements for protocols between web browsers and relying parties at websites". Generally, the audience for the requirements seems to be broader than the abstract states and at times it was difficult to figure out who the intended audience is. It may be worthwhile to separate the requirements into UI requirements and protocol requirements. In paragraph 5 of section 1, the reference to "social engineering attacks against TLS server authentication" is unprepared and is not elaborated on. This is also stated in the Security Considerations section. An example or two would help. Are there any additional requirements that would help reduce the effectiveness of these attacks? In the first paragraph of section 3, there's a missing assumption that user's trust anchor stores are sufficiently poorly maintained (or CA issuance practices sufficiently broken) to enable the TLS certificate presented by the attacker to be validated. Section 4 should assert a requirement somewhere to properly maintain a trust store and validate certificates where used. In the third paragraph of section 4.4, the statement "a shared secret will provide a better confidence" isn't necessarily true. "will" should be "may" or "will often". Section 4.7 should address how a user can gain confidence in the server when setting up a new account. It's also not clear what the aim is in this section. Is the enrollment referenced here with a web site where an identity provider is used (and has a password for the user) or something different? In section 5, the statement "validation of the certificates used in TLS...can be useful" is an understatement. This should be required. Not sure if this draft is the right place to comment, but, if requirements are for UI designers, it may be worth including a note about credential selection dialogs displayed to clients engaged in mutual authentication with public key credentials. It's fairly common for the selection dialog to be pruned such that no credentials are displayed due to certification path complexities between the trust list of the server and the user's cert. It's also common for too many credentials to be displayed (including those that will be invalid in the given context). In section 1 and in Security Considerations, users gain assurance that a web page was "generated by a party that either knows their password or who is authenticated by an identity provider who knows their password". Why is this important? Shouldn't the assurance be that the page was generated by the entity authenticated as described in section 4.4? How does this reconcile with the requirement to not share a password during enrollment? The draft identifies password reuse as a problem but does not mention usage of tools to facilitate management of different passwords (aside from avoidance of plaintext password protocols). This seems worth discussing since the Security Considerations highlights a need to maintain passwords for legacy systems plus passwords for systems that meet these requirements or maybe it's just out of scope. Nits - In section 1.2, change "smoothe" to "amooth". - In the last sentence of the second paragraph in Security Considerations, change "there exposure" to "their exposure". - Change "OTher" to "Other" in title of Section 4.1 - In section 4.1, change "do not have smart cards" to "do not have smart card readers". - The abstract asserts a MUST that is not repeated in the body of the draft. _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir
- [secdir] secdir review of draft-hartman-webauth-p… Carl Wallace