Hi. Both your and Eric's comments need a longer response. It was my intent to use strong and weak password equivelantsin the same way as the IAB document. We agree on what the IAB document defines the terms to mean. I'll go look through my text and clarify what needs clarification. I'm confused by your comments on 3.1. I agree with you that an attacker could take for example a login password in today's systems and use that to to gain the information necessary to spoof other UI. The primary goal of this document is to propose requirements that make it difficult for the attacker to capture such a password. What do you think I'm doing wrong in 3.1. Also in 3.1 you talk about on-path attacks. I guess this needs better wording because basically everyone who has read the document has commented on that phrase. So, examples of an on-path attack include mounting a MITM against TLS and hoping the user will click "accept this certificate" for the bogus cert you provide; DNS attacks; etc. I'm trying to say that attackers have these capabilities and that we need to evaluate both current and future systems against such attacks. How can I help clarify what I'm trying to say? _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf