On 6-Jul-06, at 12:56 PM, Sam Hartman wrote:
"Dick" == Dick Hardt <[EMAIL PROTECTED]> writes:
Dick> Agreed. My point is that it is much easier to solve it in
Dick> one place then on all sites. The IdP can become a
Dick> combination of client side and server side code to deal much
Dick> more effectively with the phishing issue. It is unreasonable
Dick> for every site to do that.
I'm missing something here. Long term, it seems like all the clients
are going to need to change so that they can interact with the new
IDPs. Long term, the servers are definitely going to need to change
so they can accept information from the IDPs. I don't see why it is
unreasonable to solve this on all sites long-term. In fact, I believe
we're going to have to in order to deal with my requirement 4.4
(mutual authentication). And yes, I think that requirement is really
important because without it, you don't have assurance that you aren't
giving personal information to the wrong party--you don't have
assurance that you aren't being phished.
I'll see if I can clarify:
1) Most sites are not targeted by phishers today, and unlikely to be
targeted in the future, so they should not be forced to put in
technology for resolving phishing.
2) Currently the user has NO trusted site or client and is easily
phished. Once the user has one trusted software system, then that
system can more easily determine the identity of other sites. In
other words, the user will not have to build up the full assurance
stack with each site, the user can leverage something they already
trust to assist in making the trust decision.
I think the question we should be asking in this space is whether
there is something we can do in short-to-medium term that has
acceptable intermediate security. A quetion you're presumably
interested in is whether DIX or something close to it would be such a
something.
Agree that we need to work on a a short-to-medium term improvement.
Phishing, like most complex problems, likely requires a combination
of things to minimize.
Per my comments above, once the user has a trusted identity agent,
DIX could be used by the user to interact in a more trusted manner
with other sites, with a lower burden on those sites.
I don't know what my answer to that question is. I hope to have
decided by the end of the BOF.
I think the BOF is going to be interesting -- uncertain on what will
be answered. :)
-- Dick
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
