W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing

From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Thu, 04 Sep 2008 15:27:16 +0000
To: discuss@ietf.org, ietf-http-wg@w3.org, lisa@osafoundation.org, saag@ietf.org, secdir@mit.edu
Cc: ietf-http-auth@osafoundation.org
Message-Id: <E1KbGio-00037B-Q7@wintermute01.cs.auckland.ac.nz>




Lisa Dusseault <lisa@osafoundation.org> writes:

>You may have seen this draft a year ago; Sam is back working on it and
>produced version -09 last month.
>
>http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
>
>[...]
>
>b) Whether the document should require mutual authentication (section 4.4).

Yes, absolutely!  The whole reason why phishing works is that the site is
never authenticated, without mutual auth (and specifically strong mutual auth,
e.g. some form of cryptographic challenge-response mechanism rather than the
pretend-auth of "do you recognise this image?" that some US banks have
adopted) you've not really achieving much.

Peter.
Received on Thursday, 4 September 2008 15:52:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:54 GMT