Re: [saag] [websec] [kitten] [apps-discuss] HTTP authentication: the next generation from Steven Bellovin on 2010-12-13 (ietf-http-wg@w3.org from October to December 2010)

From: Steven Bellovin <smb@cs.columbia.edu>
Date: Mon, 13 Dec 2010 13:57:03 -0500
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Yoav Nir <ynir@checkpoint.com>, Common@core3.amsl.com, General discussion of application-layer protocols <apps-discuss@ietf.org>, websec <websec@ietf.org>, - Next Generation <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Carsten Bormann <cabo@tzi.org>, "saag@ietf.org" <saag@ietf.org>
Message-Id: <BA6B6B0B-C7D8-4CCB-88EB-946F51962B7C@cs.columbia.edu>

On Dec 13, 2010, at 10:32 53AM, Yaron Sheffer wrote:

> Just like the phrase "I am not a lawyer" is always followed by amateur legal advice (I know that for sure, I've done it myself), the same goes for "I am not a UI expert".
> 
> Two comments:
> 
> - There are in fact a few security-usability experts. I don't know if any of them participate in the IETF. This is an emerging research field, see e.g. http://oreilly.com/catalog/9780596008277.
> 
> - (I am not a UI expert, but...) Devising UI cues is extremely difficult. People will gladly enter their password when the web site displays a JPEG-rendered padlock icon. In fact *legitimate* sites have been known to display such icons, strange as it may sound.

Security and usability *is* one of my research areas.  I agree with Yoav: there are many problems with use of client-side certificates.  In general, I like them -- the only way to log in to the computers I control is with public-key authenticated SSH -- but there are very good reasons why they are seldom used.  Private key storage and transport is the major one, but key issuance and recovery from lost or stolen keys are serious issues as well.  The security community has made that worse by layering heavyweight policies and procedures on top of the certificate issuance process, even when the value of the resource being protected isn't high enough to justify it.

(I've been worrying about usability issues for a long time.  There was one I-D that I dealt with as AD that I abstained on -- I wouldn't vote "no-ob" because I did object, but I had no better suggestion than "go back and start over".  While dealing with that document, I emailed one of the top usability people and asked

	Do you know of papers on the difficulty of administering complex 
	access control lists?  I'm trying to convince people that a 
	seriously-complex scheme will lead to massive security failures, 
	because no one will be able to get the ACLs right.

So yes, there are people in the IETF who worry about UI issues.)

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

Received on Monday, 13 December 2010 18:57:54 UTC