- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Tue, 9 May 2006 10:42:50 -0400
- To: public-usable-authentication@w3.org
- Message-ID: <OFB6106865.9BA450A7-ON85257169.004CE02E-85257169.0050CF71@notesdev.ibm.com>
Thinking a bit more about this subthread and Thomas' last questions on it: > Would people here be satisfied with a lightweight effort that > (as suggested by Michael) initially just looks at the question > that George asked: The logotype extensions of which > certificates can sites epxect browsers to display? > > Or should formal work in this area immediately go towards more > heavyweight trust labels, and the formats related to these? The combination of some secure chrome with some secure metadata for continuing relationships seems attainable. That would put a substantial dent in the gain from phishing. If it was actually successful, attacks would have to target convincing the user to bootstrap a new relationship (albeit with someone that might be trustworthy if properly authenticated) or somehow catch the user when they don't have access to their history of interactions (kiosk mode, using a friend's computer, had to clear their history or cookie cache because of some sort of bug or other issue). That seems worth doing to me. Mez
Received on Tuesday, 9 May 2006 14:43:18 UTC