- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Tue, 9 May 2006 10:42:50 -0400
- To: public-usable-authentication@w3.org
- Message-ID: <OFB6106865.9BA450A7-ON85257169.004CE02E-85257169.0050CF71@notesdev.ibm.com>
Thinking a bit more about this subthread and Thomas' last questions on it:
> Would people here be satisfied with a lightweight effort that
> (as suggested by Michael) initially just looks at the question
> that George asked: The logotype extensions of which
> certificates can sites epxect browsers to display?
>
> Or should formal work in this area immediately go towards more
> heavyweight trust labels, and the formats related to these?
The combination of some secure chrome with some secure metadata for
continuing relationships seems attainable. That would put a substantial
dent in the gain from phishing. If it was actually successful, attacks
would have to target convincing the user to bootstrap a new relationship
(albeit with someone that might be trustworthy if properly authenticated)
or somehow catch the user when they don't have access to their history of
interactions (kiosk mode, using a friend's computer, had to clear their
history or cookie cache because of some sort of bug or other issue). That
seems worth doing to me.
Mez
Received on Tuesday, 9 May 2006 14:43:18 UTC