W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [http-auth] [saag] [websec] re-call for IETF http-auth BoF

From: Nico Williams <nico@cryptonector.com>
Date: Wed, 15 Jun 2011 09:17:26 -0500
Message-ID: <BANLkTikTWE0Jj3GG=roqjq2-fsRZkm48yw@mail.gmail.com>
To: "KIHARA, Boku" <bkihara.l@gmail.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, http-auth@ietf.org, public-identity@w3.org, websec@ietf.org, saag@ietf.org 
On Wed, Jun 15, 2011 at 4:44 AM, KIHARA, Boku <bkihara.l@gmail.com> wrote:
> To make the goal clear, let's list what kind of authentication methods
> should be avoided. One item is methods that hand over passwords,
> mentioned by Peter. Let me add methods whose UI can be imitated and
> the result can be forged by malicious sites. Like a padlock icon that
> insists the session is secured by TLS inside content area, Is a _secure_
> authentication method inside content area truly reliable?
>
> * a method that hands over a password (or a password-equivalent)
> * a method whose UI can be imitated by malicious sites.

The protocol and UI are not that closely related.  I can't think of
any method that satisfies the first requirement that couldn't have a
secure UI.

Nico
--
Received on Wednesday, 15 June 2011 14:17:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 June 2011 14:17:51 GMT