Requirements for Web Authentication Resistant to Phishing
draft-hartman-webauth-phishing-09
| Document | Type | Expired Internet-Draft (individual in app area) | |
|---|---|---|---|
| Author | Sam Hartman | ||
| Last updated | 2015-10-14 (Latest revision 2008-08-18) | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Informational | ||
| Formats |
Expired & archived
plain text
html
xml
htmlized
pdfized
bibtex
|
||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | (None) | ||
| IESG | IESG state | Expired (IESG: Dead) | |
| Action Holders |
(None)
|
||
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | Lisa M. Dusseault | ||
| Send notices to | alexey.melnikov@isode.com |
https://www.ietf.org/archive/id/draft-hartman-webauth-phishing-09.txt
Abstract
This memo proposes requirements for protocols between web browsers and relying parties at websites; these requirements also impact third parties involved in the authentication process. These requirements minimize the likelihood that criminals will be able to gain the credentials necessary to impersonate a user or be able to fraudulently convince users to disclose personal information. To meet these requirements browsers must change. Websites must never receive information such as passwords that can be used to impersonate the user to third parties. Browsers should authenticate the website to the browser as part of authenticating the user to the website. Browsers MUST flag situations when this authentication fails and flag situations when the target website is not authorized to accept the identity being offered as this is a strong indication of fraud. These requirements may serve as a basis for requirements for preventing fraud in environments other than the web.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)