[dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

To: EKR <ekr at networkresonance.com>
Subject: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
From: "Robert Sayre" <sayrer at gmail.com>
Date: Mon, 22 May 2006 12:14:51 -0400
Cc: dix at ietf.org, ietf-http-auth at lists.osafoundation.org, Sam Hartman <hartmans-ietf at mit.edu>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=e0O0/3Ep7xnHsKlQ8l6feioj6ef3T5MPMwA/v5iO1DavRNECUBCN6C9ScEsszB29Sz62q1kjMRtBjKEnlfxzKGST9X4nQMQMf2ZpmBCGYb+zEWYNb2WlRreiBRQXmnZW936mekzheOXzGrin7HoGu8IChkIf/CijbV20CedsPLA=
In-reply-to: <868xou831c.fsf@raman.networkresonance.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <tslr72mp213.fsf@cz.mit.edu> <868xou831c.fsf@raman.networkresonance.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>

On 5/22/06, Eric Rescorla <ekr at networkresonance.com> wrote:

1. This is not principally a protocol problem but rather a UI problem.
  The protocol problems are generally well understood. If the UI
  problems are solved, nearly any protocol will work. In particular,
  there have been a number of published designs [1] [2] that have mostly
  adequate (though not perfect) protocols, though without complete
  solutions to the UI problem.


One aspect of Sam's document that concerned me was the section on
possible UI solutions. The requirements around spoofing seem directly
opposed to the branding and usage patterns that web authors require.
HTTP authentication currently presents a modal dialog with no design
control, and this is a significant reason most sites opt for form
controls.

Roy has previously mentioned that 401 Unauthorized responses should be
displayed to the user. This would allow a site to embed a new type of
form control for authentication purposes... but as I mentioned above,
this intermingling could increase the risk of spoofing.

--

Robert Sayre

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Follow-Ups:
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Nicolas Williams

References:
- [dix] New draft on anti-phishing requirements
  - From: Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Eric Rescorla

Prev by Date: [dix] New draft on anti-phishing requirements
Next by Date: Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Previous by thread: Re: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Next by thread: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Index(es):
- Date
- Thread

[dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.