Actually, a fundamental problem with the current protocol is that there was little attention paid to the requirements of UI design experts. The natural result is that application developers worked with what they had to produce an interface usable by their average user. Any critique of the protocol or new protocal in this space MUST be consider interactive usage AND unattended program to program authentication. In the end 'phishing' is about UI and not protocols. Dave Morris On Tue, 11 Sep 2007, Sam Hartman wrote: > >>>>> "Shumon" == Shumon Huque <shuque@xxxxxxxxxxxxx> writes: > > Shumon> And yes, I agree that a new properly designed version of > Shumon> HTTP Digest authentication might be one way to help. As > Shumon> well as the various zero knowledge protocols. > > I believe that http digest plus channel bindings does meet all the > requirements that draft-hartman-webauth-phishing discusses for > authentication systems. Clearly the protocol cannot define the UI issues. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf