Sam,
I've reviewed draft-hartman-webauth-phishing-03.txt. In general I agree
with the tone of it in terms of how to address these sorts of threats.
However, I have a problem with its scope. The problem you discuss
extends well beyond just HTTP already. Furthermore, your assumption
that the computer is secure is a bad one. I'm not saying that we should
require smart cards, as a matter of threat analysis, you should allow
for the idea that the computer may not be secure, and hence allow for
approaches that address that problem. Note I did not say "require".
However, you need to consider your other requirements in the context of
such approaches.
I also think Section 4.1 is unnecessary. Attempting to simply repair
passwords is one legitimate approach, but it shouldn't be the only one.
In fact, I would argue that you are setting up users for very serious
problems by perpetuating an approach that requires them to either write
down their passwords or use the same one for multiple sites. This
section, IMHO represents a requirement for poor modularity.
Also, you have a number of editorial oddities. A "Google paper" should
be treated as any other reference, for instance. Finally, quite a
number of your requirements are unclear. See for instance your first
sentence in 4.1. The second phrase is mystifying.
I would appreciate the opportunity to work with you on the above issues,
as well as improve your introduction, which I believe warrants some
additional effort (I am tempted to ask that you include a glossary), but
I do not support this document moving forward at this time, although I
do support it moving forward once these issues are addressed.
Thanks,
Eliot
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf