W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [saag] [http-auth] [websec] re-call for IETF http-auth BoF

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 15 Jun 2011 23:32:32 +0900
Message-ID: <BANLkTimn5MQtBpiFzkM2GyHHZbwyP7+HuQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: "KIHARA, Boku" <bkihara.l@gmail.com>, public-identity@w3.org, http-auth@ietf.org, websec@ietf.org, saag@ietf.org
2011/6/15 Nico Williams <nico@cryptonector.com>:
>> * a method that hands over a password (or a password-equivalent)
>> * a method whose UI can be imitated by malicious sites.

> The protocol and UI are not that closely related.  I can't think of
> any method that satisfies the first requirement that couldn't have a
> secure UI.

How about a simple form-field extension which
encrypts some password with timed challenges?

OK, but your point suggests the following rephrasing:

 * a UI which can be imitated by malicious sites.

Although they are not closely related, but we cannot completely
ignore the UI issues . I think that protocol designs
should, in some extent, consider how such UI is to be provided
(especially when and how they are kicked in). How about it?
Received on Wednesday, 15 June 2011 14:33:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 June 2011 14:33:01 GMT