Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
From: Eric Rescorla <ekr at networkresonance.com>
Date: Mon, 22 May 2006 09:24:29 -0700
Cc: Digital Identity Exchange <dix at ietf.org>, ietf-http-auth at lists.osafoundation.org, Sam Hartman <hartmans-ietf at mit.edu>
In-reply-to: <20060522161457.GK16695@binky.Central.Sun.COM> (Nicolas Williams's message of "Mon, 22 May 2006 11:14:57 -0500")
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <tslr72mp213.fsf@cz.mit.edu> <868xou831c.fsf@raman.networkresonance.com> <20060522161457.GK16695@binky.Central.Sun.COM>
Reply-to: EKR <ekr at networkresonance.com>, Digital Identity Exchange <dix at ietf.org>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

Nicolas Williams <Nicolas.Williams at sun.com> writes:

> On Mon, May 22, 2006 at 08:58:23AM -0700, Eric Rescorla wrote:
>> 1. This is not principally a protocol problem but rather a UI problem.
>
> I've not read Sam's I-D yet, but he did present to me last week, so
> perhaps I can comment.
>
> This is not just a UI problem, and there are several problems.

I agree that there are several problems, but only some subset of those
problems are the "phishing" problem.


>>    The protocol problems are generally well understood. If the UI
>>    problems are solved, nearly any protocol will work. In particular,
>>    there have been a number of published designs [1] [2] that have mostly
>>    adequate (though not perfect) protocols, though without complete
>>    solutions to the UI problem. Indeed, a slightly different design
>>    for Digest (in which the absolute URI was hashed) combined with
>>    a secure UI would pretty much defeat current phishing attacks.
>
> So, the protocols and the [secure] UI have to be "combined" -- can you
> expand on this? 

This is all pretty much laid out in the PwdHash and Felten papers.

-Ekr


_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Follow-Ups:
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Sam Hartman

References:
- [dix] New draft on anti-phishing requirements
  - From: Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Nicolas Williams

Prev by Date: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Next by Date: Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Previous by thread: Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Next by thread: Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Index(es):
- Date
- Thread

Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.