Michael Dillon said: "Personally, I would like to see some more criticism of the fact that this draft is about Phishing, a symptom of security problems, rather than about strengthening a weakness in Internet security. It is entirely possible to "solve" the phishing problem without strengthening the network, and possibly even introducing new weaknesses. Being too focused on one symptom is not a good way to approach security. Indeed, it is entirely possible that the solution to phishing lies with the banking system, not with the Internet or IETF." I think this is a very good point. Ultimately, the explosion of attacks that we are seeing is fed by the ability of miscreants to convert personal information into cash. Phishing is only one avenue for this - the miscreants have shown an ability to quickly develop new attacks and business models. So we need to think carefully about distinguishing symptoms from underlying causes. If we just focus on symptoms, we will be playing a game of Wack-a-mole. For example, the document states that anti-phishing measures MUST support passwords, yet with the increasing prevalance of key stroke logging malware, it is not clear to me that merely avoiding the sending of cleartext passwords over the wire is enough. In terms of underlying causes, the ease with which personal information (social security number, bank account #s, birthdate, etc.) can be utilized for identity theft and subsequent fraud is sobering. A sampling of recent stories in the news: http://www.identitytheftdaily.com/ http://www.forbes.com/feeds/ap/2007/08/16/ap4027723.html http://www.schneier.com/blog/archives/2005/08/identity_thief.html http://mortgagefraud.squarespace.com/journal/2004/4/7/id-theft-leads-to-charges-for-six-amerifunding-scheme.html http://www.usdoj.gov/usao/pae/News/Pr/2006/jul/whitesmith_release.pdf http://www.courant.com/news/custom/topnews/hcu-mortgage-0828,0,3482889.story http://money.guardian.co.uk/scamsandfraud/story/0,,1669152,00.html While I'm willing to accept that many of these stories originate in fundamental weaknesses within the financial system, I'm not so sure that the IETF has no role to play with respect to development of technology that could help. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf