Michael Dillon said: > "Personally, I would like to see some more criticism of the fact that > this draft is about Phishing, a symptom of security problems, rather > than about strengthening a weakness in Internet security. It is entirely > possible to "solve" the phishing problem without strengthening the > network, and possibly even introducing new weaknesses. Being too focused > on one symptom is not a good way to approach security. Indeed, it is > entirely possible that the solution to phishing lies with the banking > system, not with the Internet or IETF." Phishing is not a problem only for the banking industry. We have discovered phishing websites on the Internet designed to mimic web authentication systems deployed at my University, obviously designed to steal our passwords. I certainly agree with attacking the cause rather than symptom. But a portion of Sam Hartman's draft is in fact dealing with a cause of the symptom. Namely the part that is trying to protect user credentials from disclosure to an unauthorized party -- by proposing to eliminate the near ubiquitous phenomenon of sending passwords over TLS to an application server. And using proper cryptographic authentication techniques that don't transmit long-lived passwords or keys over the network period. It's about time the IETF stood up and said that. And yes, I agree that a new properly designed version of HTTP Digest authentication might be one way to help. As well as the various zero knowledge protocols. Bernard Aboba said: > So we need to think carefully about distinguishing symptoms from > underlying causes. If we just focus on symptoms, we will be > playing a game of Wack-a-mole. For example, the document states that > anti-phishing measures MUST support passwords, yet with the increasing > prevalance of key stroke logging malware, it is not clear to me that > merely avoiding the sending of cleartext passwords over the wire is > enough. We can have a discussion about whether long lived human memorizable passwords have a future. But we have to deal with the reality today. I suppose that some time in the distant future we might all be using public key authentication, carrying around our PKI credentials on smart cards, mechanisms to interface those cards to endsystems are commonplace, systems and federations of PKIs are ubiquitous, proper certificate revocation infrastructure is in place etc etc .. But we are very far from that world. If passwords altogether are eliminated, then I presume malware will just evolve to deal with it. So the whack-a-mole game will continue as usual. Users could be tricked into installing a trojan horse that captured their private key or logged the passphrase that they typed to unlock it. Should we be recommending non-reusable passwords or smartcards/tokens everywhere? At some level, you have to trust the software on your endstation. Even if you've protected your authentication credentials, not trusting endstation software means that you may not be able to conduct any private or sensitive tasks on it. I don't think this problem can be solved until we have radically more secure designs in both operating systems and applications. Even that may not be enough. --Shumon. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf