Re: [saag] Request for review and consensus -- draft-hartman-webauth-phishing

Lisa Dusseault <lisa@osafoundation.org> writes:

>You may have seen this draft a year ago; Sam is back working on it and
>produced version -09 last month.
>
>http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
>
>[...]
>
>b) Whether the document should require mutual authentication (section 4.4).

Yes, absolutely!  The whole reason why phishing works is that the site is
never authenticated, without mutual auth (and specifically strong mutual auth,
e.g. some form of cryptographic challenge-response mechanism rather than the
pretend-auth of "do you recognise this image?" that some US banks have
adopted) you've not really achieving much.

Peter.

Received on Thursday, 4 September 2008 15:52:08 UTC