[dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

To: Sam Hartman <hartmans-ietf at mit.edu>
Subject: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Mon, 22 May 2006 13:53:30 -0500
Cc: dix at ietf.org, ietf-http-auth at lists.osafoundation.org
In-reply-to: <tslwtcdnbrv.fsf@cz.mit.edu>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <tslr72mp213.fsf@cz.mit.edu> <868xou831c.fsf@raman.networkresonance.com> <tsl3bf2ov47.fsf@cz.mit.edu> <86wtce53nd.fsf@raman.networkresonance.com> <tslwtcdnbrv.fsf@cz.mit.edu>
Reply-to: Digital Identity Exchange <dix at ietf.org>
User-agent: Mutt/1.5.7i

On Mon, May 22, 2006 at 02:40:36PM -0400, Sam Hartman wrote:
> Assume that examplebank.com is a financial institution that acts as an
> identity provider for themselves and for business partners.  If they
> are given the ability to confirm that the website I'm going to is
> allowed to accept their identity, then they can give me an error if I
> attempt to use their identity with some random phishing site I got a
> link to in email.
> 
> You may disagree that this defense is important.  However it is a
> defense.

It amounts to a hook for white/black-listing.

It can only really work well as a whitelist, and only if the list is
kept very small.

ISPs acting as IdPs may not want to be in the blacklisting business,
and whitelisting won't be an option.

So I see this as an optional feature, not a requirement.

Nico
-- 

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- [dix] New draft on anti-phishing requirements
  - From: Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
  - From: Sam Hartman

Prev by Date: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Next by Date: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Previous by thread: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Index(es):
- Date
- Thread

[dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.