List Info

Thread: New draft on anti-phishing requirements
New draft on anti-phishing requirements
user name
 2006-05-22 17:25:42 
Sam Hartman <hartmans-ietfmit.edu> writes:

>>>>>> "Eric" == Eric Rescorla
<ekrnetworkresonance.com> writes:
>     Eric> Right. I indicated in my message, I'm not
sure this draft
>     Eric> dissects the reqts correctly.
>
> Understood. However all your criticisms to date have
been rather
> minor.

Hmm... I didn't mean to give that impression. I certainly
don't
think the "it's all about UI" point is minor.

In any case, I'll try to write up a more substantial review
when
I have some more time, probably in the next week or so.

-Ekr




_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
New draft on anti-phishing requirements
user name
 2006-05-22 17:53:00 
>>>>> "Eric" == Eric Rescorla
<ekrnetworkresonance.com> writes:

    Eric> Sam Hartman <hartmans-ietfmit.edu> writes:
    >>>>>>> "Eric" == Eric
Rescorla <ekrnetworkresonance.com> writes:
    Eric> Right. I indicated in my message, I'm not sure
this draft
    Eric> dissects the reqts correctly.
    >>  Understood. However all your criticisms to
date have been
    >> rather minor.

    Eric> Hmm... I didn't mean to give that impression.
I certainly
    Eric> don't think the "it's all about
UI" point is minor.

I am not sure whether it is minor.  I think we are in broad
agreement
that the interesting work in this space must involve the UI
and is not
principally a protocol problem.

--Sam
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
New draft on anti-phishing requirements
user name
 2006-05-24 09:47:34 
On 2006-05-22 13:53:00 -0400, Sam Hartman wrote:

> I think we are in broad agreement that the interesting
work
> in this space must involve the UI and is not
principally a
> protocol problem.

I very much agree.

Incidentally, you may want have a look at the report from
the
March W3C workshop:

  h
ttp://www.w3.org/2005/Security/usability-ws/report

We (W3C) are currently thinking about how to best charter
work
that would specify some browser user interface components
that
would have to be outside the control of web sites, and could
be
used to make sure that users know (as opposed to look at on
their screens) where they are going to send their
confidential
information.

Another element that we took as important from the workshop
in
NYC is to enable user agents to reliably recognize HTML
forms
that are used for authentication.  This ability would enable
user agents to manage credentials on behalf of the user. It
would also enable user agents to *not* submit credentials
using
HTTP POST (even when entered through HTML forms), but
instead
grab them and use them for whatever HTTP-level
authentication
mechanism is used.  User agents could also do intelligent
things in the UI to make sure that users understand what
they
are doing here.

PS: I'm currently at WWW 2006 in Edinburgh.  If any of you
guys
want to chat more about this, please feel free to drop me a
line, so we can meet up somewhere.

Regards,
-- 
Thomas Roessler, W3C   <tlrw3.org>
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )