RE: IETF Web Authentication Resistant to Phishing

• From: Michael Versace <michael.versace@fstc.org>
• Date: Wed, 19 Dec 2007 13:23:21 -0500
• To: "'Dan Schutzer'" <dan.schutzer@fstc.org>, "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>, <michael.mccormick@wellsfargo.com>, <public-wsc-wg@w3.org>
• Cc: "Sam Hartman" <hartmans@mit.edu>
• Message-ID: <003801c8426c$427deff0$c779cfd0$@versace@fstc.org>

Copying Sam, also
Here's a brief summary, without restating the challenges with existing
UID/PSWD based protocols today.

.	Proposal Presented in IETF Context
	o	Design new authentication mechanisms so mistakes are not
fatal
	o	Take advantage of existing identity relationships to help
protect both parties
	o	Permit servers to prove themselves to users before
confidential information is disclosed
.	Requirements for New Authentication Mechanisms
	o	Support the user experience of passwords  and other
authentication mechanisms
	o	Must not send the password to the server
	o	Provide mutual authentication and guarantees that the page
is generated by the intended server
	o	Support enhanced security for federation
.	Challenges
	o	Designing authentication mechanisms that meet these
requirements is relatively easy
	o	Designing a UI that people actually pay attention to know if
they are using new or old authentication mechanisms
	o	Increase the number of clues users have to know if they are
talking to the right server, but they need to critically evaluate this

Two links for participants:
o
http://tools.ietf.org/internet-drafts/draft-hartman-webauth-phishing.txt
o	Mailing list discussion:
http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth

Michael Versace
Managing Executive, Security and Infrastructure
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
(617) 543-3007

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Dan Schutzer
Sent: Wednesday, December 19, 2007 11:14 AM
To: 'Stephen Farrell'; michael.mccormick@wellsfargo.com;
public-wsc-wg@w3.org
Cc: 'Michael Versace'
Subject: RE: IETF Web Authentication Resistant to Phishing


FSTC's Dec 13th Security Standing Committee call had Sam present at our call
to present his ideas.

The full agenda is provided below. Michael Versace can you summarize this
discussion, unfortunately I was not able to make the meeting? Incidentally,
anyone on this distribution list that is interested can be added to the
Security Standing Committee distribution list and participate in these
calls.

Dan Schutzer 

The next Security and Infrastructure Committee Call of the FSTC is scheduled
for December 13, 2007, at 1:00 pm EST.  The agenda includes:

 

1.       Sam Hartman, MIT - Designing Web Authentication to Protect Identity
(see attached Sam Hartman - FSTC SCOM 1207.ppt)

2.       Mary Ruddy, Project Higgins - User-centered Identity Management
(see attached Higgins-FSTC-Intro-zip)

3.       FSTC Annual Report Draft (see - attached FSTC Annual Report -
2msv.doc)

4.       Key Project Activities


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Stephen Farrell
Sent: Wednesday, December 19, 2007 10:55 AM
To: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
Subject: Re: IETF Web Authentication Resistant to Phishing




Thomas Roessler wrote:
> On 2007-12-13 12:42:14 -0600, michael.mccormick@wellsfargo.com wrote:
> 
>> http://tools.ietf.org/internet-drafts/draft-hartman-webauth-phishing-06.
>> txt
>>
>> Shouldn't W3C and IETF be coordinating these efforts?  They seem
>> interdependent since any new web security protocols require secure UIs
>> (and possibly vice-versa).
> 
> Note that this is an individual submission (by a very influential
> individual, nonetheless; yet, not uncontested) trying to mostly
> address some requirements analysis.  I know that several folks at
> W3C have been carefully watching the discussion around this one.
> General coordination happens during regular calls between W3C staff
> and the IESG.
> 
> Also, if this working group wanted to review the current draft and
> send comments, that would certainly a worthwhile endeavour.
> 
> See also:
>   http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0177.html  

That I-D was one of the subjects of the HTTP authentication bar bof
in Vancouver. There was talk of arranging a workshop sometime and
discussion is taking place on some list I can't recall right now.

S.

Received on Wednesday, 19 December 2007 18:23:55 UTC