- From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
- Date: Thu, 04 Sep 2008 15:27:16 +0000
- To: discuss@ietf.org, ietf-http-wg@w3.org, lisa@osafoundation.org, saag@ietf.org, secdir@mit.edu
- Cc: ietf-http-auth@osafoundation.org
Lisa Dusseault <lisa@osafoundation.org> writes: >You may have seen this draft a year ago; Sam is back working on it and >produced version -09 last month. > >http://tools.ietf.org/html/draft-hartman-webauth-phishing-09 > >[...] > >b) Whether the document should require mutual authentication (section 4.4). Yes, absolutely! The whole reason why phishing works is that the site is never authenticated, without mutual auth (and specifically strong mutual auth, e.g. some form of cryptographic challenge-response mechanism rather than the pretend-auth of "do you recognise this image?" that some US banks have adopted) you've not really achieving much. Peter.
Received on Thursday, 4 September 2008 15:52:08 UTC