Requirements for Web Authentication Resistant to Phishing
draft-hartman-webauth-phishing-09
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2015-10-14
|
09 | (System) | Notify list changed from hartmans-ietf@mit.edu, alexey.melnikov@isode.com to alexey.melnikov@isode.com |
2012-08-22
|
09 | (System) | post-migration administrative database adjustment to the No Record position for Cullen Jennings |
2009-02-19
|
09 | (System) | Document has expired |
2008-08-18
|
09 | (System) | New version available: draft-hartman-webauth-phishing-09.txt |
2008-08-15
|
08 | (System) | New version available: draft-hartman-webauth-phishing-08.txt |
2008-07-13
|
07 | (System) | New version available: draft-hartman-webauth-phishing-07.txt |
2008-05-21
|
09 | (System) | State Changes to Dead from AD is watching by system |
2008-05-21
|
09 | (System) | Document has expired |
2008-03-17
|
09 | Cullen Jennings | [Ballot Position Update] Position for Cullen Jennings has been changed to Undefined from Discuss by Cullen Jennings |
2007-11-18
|
06 | (System) | New version available: draft-hartman-webauth-phishing-06.txt |
2007-10-06
|
09 | Cullen Jennings | [Ballot discuss] This is a discuss Discuss. Is there consensus for this document or not? |
2007-09-12
|
09 | Lisa Dusseault | State Changes to AD is watching from IESG Evaluation::Revised ID Needed by Lisa Dusseault |
2007-09-12
|
09 | Lisa Dusseault | By the time this draft got to IESG Evaluation, it became clear to me, the author and the shepherd (Alexey Melnikov), that another revision and … By the time this draft got to IESG Evaluation, it became clear to me, the author and the shepherd (Alexey Melnikov), that another revision and more community input would be a very good thing. Alexey has volunteered to help drive that and evaluate informal consensus as a 3rd party, and is doing so on the ietf-http-auth list. |
2007-08-24
|
09 | (System) | Removed from agenda for telechat - 2007-08-23 |
2007-08-23
|
09 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2007-08-23
|
09 | Lisa Dusseault | [Ballot discuss] As document sponsor I'm taking on Cullen and Ross's DISCUSSes to determine consensus better on this document. |
2007-08-23
|
09 | Lisa Dusseault | [Ballot Position Update] Position for Lisa Dusseault has been changed to Discuss from Yes by Lisa Dusseault |
2007-08-23
|
09 | Ross Callon | [Ballot discuss] This might be redundant with Cullen's discuss, but... To me this document addresses a very important issue. However, it also seems clear from … [Ballot discuss] This might be redundant with Cullen's discuss, but... To me this document addresses a very important issue. However, it also seems clear from the related email discussion that this document does not represent IETF consensus. Given that this is coming from a security AD, I think that the "General's dilema" (ie, the danger of the document being interpreted as being more normative than it is intended to be) is particularly important to avoid in this case. Therefore I think that we need to add some sort of warning to the extent that this document is an individual submission that is intended to help to encourage progress on dealing with phishing attacks, but that this does not represent IETF consensus at this time, and that this does not set requirements for future work. We might also want to take a close look at the document regarding whether "requirement" should be "recommendation" in some or all cases. |
2007-08-23
|
09 | Ross Callon | [Ballot Position Update] Position for Ross Callon has been changed to Discuss from Undefined by Ross Callon |
2007-08-23
|
09 | Ross Callon | [Ballot discuss] This might be redundant with Cullen's discuss, but... To me this document addresses a very important issue. However, it also seems clear from … [Ballot discuss] This might be redundant with Cullen's discuss, but... To me this document addresses a very important issue. However, it also seems clear from the related email discussion that this document does not represent IETF consensus. Given that this is coming from a security AD, I think that the "General's dilema" (ie, the danger of the document being interpreted as being more normative than it is intended to be) is particularly important to avoid in this case. Therefore I think that we need to add some sort of warning to the extent that this document is an individual submission that is intended to help to encourage progress on dealing with phishing attacks, but that this does not represent IETF consensus at this time, and that this does not set requirements for future work. We might also want to take a close look at the document regarding whether "requirement" should be "recommendation" in some or all cases. |
2007-08-23
|
09 | Ross Callon | [Ballot Position Update] Position for Ross Callon has been changed to Undefined from Discuss by Ross Callon |
2007-08-23
|
09 | Ross Callon | [Ballot Position Update] Position for Ross Callon has been changed to Discuss from Undefined by Ross Callon |
2007-08-23
|
09 | Ross Callon | [Ballot Position Update] Position for Ross Callon has been changed to Undefined from No Objection by Ross Callon |
2007-08-23
|
09 | Chris Newman | [Ballot comment] I am voting yes because I feel strongly the IETF needs to publish and approve a document like this and do so relatively … [Ballot comment] I am voting yes because I feel strongly the IETF needs to publish and approve a document like this and do so relatively soon to take a step forward in this area. I have spoken to some reviewers in the applications area who were pleasantly surprised after reading this document and found it clear and valuable. I am seeing an emerging rough consensus in the intersection between application and security areas to do real work on this topic. Getting a minimalist requirements document done might allow that effort to skip the time-wasting requirements gathering phase and move on to evaluation of real protocol work that will draw in the appropriate technical experts and would thus be good for the IETF in general. This document needs a revision to address the changes Sam wants to make based on Eric's review, Russ's comments and the issues Christian Vogt raised. I trust Jari to hold his discuss for that revision. It is my educated guess there is rough consensus in the IETF to publish this document. However, additional work to document that rough consensus would be helpful given the strength of the two last call objections. I trust Cullen to hold his discuss awaiting such evidence. |
2007-08-23
|
09 | Chris Newman | [Ballot Position Update] New position, Yes, has been recorded by Chris Newman |
2007-08-22
|
09 | Ron Bonica | [Ballot comment] I am voting "no-objetion" with some reservations about whether we really have community consensus. At least two people have voiced strong objections to … [Ballot comment] I am voting "no-objetion" with some reservations about whether we really have community consensus. At least two people have voiced strong objections to the publication of this document. Another has suggested that individual submission is not the appropriate mechanism to tackle such an important topic. |
2007-08-22
|
09 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica |
2007-08-22
|
09 | Cullen Jennings | [Ballot discuss] This is a discuss Discuss. My view of this whole thread on this document is that the key question is simple: Is there … [Ballot discuss] This is a discuss Discuss. My view of this whole thread on this document is that the key question is simple: Is there consensus for this document or not? In the past, we have treated documents where at least one or two people thought it was a good idea and no one objected as having consensus. This document is a bit different because at least a couple people seem to think this document should not be published as is. It's very unclear to me how many people do or do not think this should be published and makes it hard for me to try and decide if their is consensus. |
2007-08-22
|
09 | Cullen Jennings | [Ballot Position Update] New position, Discuss, has been recorded by Cullen Jennings |
2007-08-22
|
09 | Jari Arkko | [Ballot discuss] I'd like Christian Vogt's comments (see below) for Sections 4.3 and 8 to be addressed. |
2007-08-22
|
09 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to Discuss from No Objection by Jari Arkko |
2007-08-22
|
09 | Jari Arkko | [Ballot comment] Christian Vogt's review: This document provides guidance on designing secure authentication mechanisms for Web services. The goal is to replace HTML-form- and password-based … [Ballot comment] Christian Vogt's review: This document provides guidance on designing secure authentication mechanisms for Web services. The goal is to replace HTML-form- and password-based mechanisms that are commonly used today. The document is a valuable step forward in the combat against phishing. However, below are a few issues that Sam might want to address before this documents becomes RFC. Section 3.1 (Capabilities of Attackers): The 1st paragraph lists mechanisms by which an attacker can trick a victim user into accepting a spoofed Web site. One of them is "on-path network attacks". I am unsure what is meant by this. It could refer to attacks on DNS, but those attacks are listed separately. It could also refer to MiTM attacks on TLS connection establishment, but it is assumed that certificates are available. In consequence, I would assume that it refers to the process of obtaining a certificate. But this is unclear and should be clarified. Section 3.1 (Capabilities of Attackers): The 2nd paragraph of section 3.1 describes which components of a UI an attacker might be able to forge. The text differentiates between components that are based on special knowledge about the user (such as an account balance or transaction history), and components that do not require such knowledge (such as a loginpage). What I am missing here is some thoughts on how far forgery of the latter type of component could enable forgery of the former type. Reusing the examples in parentheses, an attacker might be able to trick a victim user into providing a password via a spoofed login page, and then retrieve the user's current account balance and transaction history from the legitimate site in order to subsequently print it on another spoofed page. Section 4.3 (No Password Equivalents): The terms "strong/weak password equivalence" seem to be used differently in this document than in [draft-iab-auth-mech], which is uses as a reference in this document. In [draft-iab-auth-mech], the terms are used to describe a dependency between login credentials for different systems, while in this document, they are used for the data exchanged between an authenticator and an authenticatee. Section 8 (Security Considerations): Paragraph 5 mixes two issues: (i) Web sites using both the proposed authentication mechanism and a legacy, HTML-based mechanism for backwards compatibility (ii) users who take the same password for Web sites with the proposed authentication mechanism and Web sites with a legacy authentication mechanism These two issues are orthogonal and should be separated. While the document suggests a solution for issue (ii) -- which calls for users not to use the same password for different Web sites --, there is no suggested solution for issue (i). One possible solution could be provide a mechanism by which users can disable access through legacy authentication mechanisms. Re-enabling access for legacy authentication mechanisms could be accomplished only through the proposed authentication mechanism. Maybe Sam wants to add this to his draft... Editorial: - General Abbreviation "UI" is never spelled out. I'd recommend spelling it out everywhere. - Abstract s/providers and users and for /providers and users, and/ s/These requirements may serve/These requirements may also serve/ ? - Section 4.1 s/Passwords and OTher Methods/Passwords and Other Methods/ s/do not have smart cards/do not have smart card readers/ s/access to other resources may/access to other resources--may/ - Section 4.2 s/security community has/security community has done/ - Section 4.3 s/No Password EquivelentsN/o Password Equivalents/ - Section 4.6 s/the the/the/ |
2007-08-22
|
09 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2007-08-22
|
09 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert |
2007-08-22
|
09 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Yes by Jari Arkko |
2007-08-21
|
09 | Jari Arkko | [Ballot Position Update] New position, Yes, has been recorded by Jari Arkko |
2007-08-20
|
09 | David Ward | [Ballot Position Update] New position, No Objection, has been recorded by David Ward |
2007-08-19
|
09 | Russ Housley | [Ballot comment] Section 3 says: > > Similarly in a system that used smart cards, the smart cards would > need to … [Ballot comment] Section 3 says: > > Similarly in a system that used smart cards, the smart cards would > need to be trusted not to give attackers access to private keys or > other authentication material. > This should accomodate other authentication tokens too. I suggest: > > Similarly in a system that uses smart cards or other authentication > tokens, the token needs to be trusted not to give attackers access > to private keys or other authentication material. Section 4.1 says: > > Carrying a smart card or USB token ... > To match above, I suggest: > > Carrying a smart card or other authentication token ... > Then, the reaining text in Section 4.1 should be revised to talk about authentication tokens in general. Most is unnecessarily specific to smart cards. I think the Security Considerations should say someting about DNS, especially in the context of the RFC 2818 checking. |
2007-08-19
|
09 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2007-08-16
|
09 | Tim Polk | [Ballot Position Update] New position, No Objection, has been recorded by Tim Polk |
2007-08-16
|
09 | Cullen Jennings | Placed on agenda for telechat - 2007-08-23 by Cullen Jennings |
2007-08-16
|
09 | Ron Bonica | Removed from agenda for telechat - 2007-08-23 by Ron Bonica |
2007-08-14
|
09 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2007-07-27
|
09 | Sam Hartman | [Ballot Position Update] New position, Recuse, has been recorded by Sam Hartman |
2007-07-26
|
09 | Lisa Dusseault | Placed on agenda for telechat - 2007-08-09 by Lisa Dusseault |
2007-07-26
|
09 | Lisa Dusseault | Ballot has been issued by Lisa Dusseault |
2007-07-25
|
05 | (System) | New version available: draft-hartman-webauth-phishing-05.txt |
2007-07-24
|
09 | Lisa Dusseault | Removed from agenda for telechat - 2007-08-09 by Lisa Dusseault |
2007-07-22
|
09 | Lisa Dusseault | State Change Notice email list have been change to hartmans-ietf@mit.edu, alexey.melnikov@isode.com from hartmans-ietf@mit.edu |
2007-07-22
|
09 | Lisa Dusseault | Placed on agenda for telechat - 2007-08-09 by Lisa Dusseault |
2007-07-22
|
09 | Lisa Dusseault | State Changes to IESG Evaluation from Waiting for Writeup by Lisa Dusseault |
2007-07-22
|
09 | Lisa Dusseault | [Ballot Position Update] New position, Yes, has been recorded for Lisa Dusseault |
2007-07-22
|
09 | Lisa Dusseault | Ballot has been issued by Lisa Dusseault |
2007-07-22
|
09 | Lisa Dusseault | Created "Approve" ballot |
2007-07-10
|
09 | Lisa Dusseault | PROTO writeup (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of … PROTO writeup (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Alexey Melnikov is the document shepherd for this document. The document is ready for publication. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? This document was reviewed by Eliot Lear and several Security Area participants. So there are no concerns about the depth of the reviews. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization or XML? No concerns. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. No specific concerns. No IPR disclosure was filed for this document. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? This document is an individual submission. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) No. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews? IDnits 2.04.12 was used to verify the document. It reports 2 warnings about references to older versions of drafts, which can be fixed by the RFC editor. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. Yes, references are properly split. There are no downward normative references. The document has 3 informative references to drafts. (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC2434]. If the document describes an Expert Review process has Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during the IESG Evaluation? IANA considerations section exists and it requires no actions from IANA. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? The document doesn't have any ABNF, MIB, etc. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up? Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction. This memo proposes requirements for protocols between web identity providers and users and for requirements for protocols between identity providers and relying parties. These requirements minimize the likelihood that criminals will be able to gain the credentials necessary to impersonate a user or be able to fraudulently convince users to disclose personal information. To meet these requirements browsers must change. Websites must never receive information such as passwords that can be used to impersonate the user to third parties. Browsers should perform mutual authentication and flag situations when the target website is not authorized to accept the identity being offered as this is a strong indication of fraud. This document is targeted to become an Informational RFC. Working Group Summary Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? This is an individual submission. Some reviewers have suggested that the documents can apply to environments other then web. The author thought that it would be better to concentrate on web and do a separate document for other environments later. There were some disagreements between the author and reviewers on whether it is practical to require support for non password based authentication mechanisms. The author changed the document to require support for non password based mechanisms. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? At least 4 have reviewed the document. Posted comments were addressed in the latest revision. Personnel Who is the Document Shepherd for this document? Who is the Responsible Area Director? Alexey Melnikov is the document shepherd for this document. Lisa Dusseault is the responsible Area Director. |
2007-07-08
|
04 | (System) | New version available: draft-hartman-webauth-phishing-04.txt |
2007-06-20
|
09 | (System) | State has been changed to Waiting for Writeup from In Last Call by system |
2007-06-07
|
09 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Carl Wallace. |
2007-06-07
|
09 | Yoshiko Fong | IANA Last Call Comments: As described in the IANA Considerations section, we understand this document to have NO IANA Actions. |
2007-05-25
|
09 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Carl Wallace |
2007-05-25
|
09 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Carl Wallace |
2007-05-23
|
09 | Amy Vezza | Last call sent |
2007-05-23
|
09 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2007-05-22
|
09 | Lisa Dusseault | State Changes to Last Call Requested from AD Evaluation by Lisa Dusseault |
2007-05-22
|
09 | Lisa Dusseault | Last Call was requested by Lisa Dusseault |
2007-05-22
|
09 | (System) | Ballot writeup text was added |
2007-05-22
|
09 | (System) | Last call text was added |
2007-05-22
|
09 | (System) | Ballot approval text was added |
2007-05-18
|
09 | Lisa Dusseault | State Changes to AD Evaluation from Publication Requested by Lisa Dusseault |
2007-05-01
|
09 | Lisa Dusseault | Area acronymn has been changed to app from gen |
2007-05-01
|
09 | Lisa Dusseault | Draft Added by Lisa Dusseault in state Publication Requested |
2007-03-06
|
03 | (System) | New version available: draft-hartman-webauth-phishing-03.txt |
2006-10-23
|
02 | (System) | New version available: draft-hartman-webauth-phishing-02.txt |
2006-06-29
|
01 | (System) | New version available: draft-hartman-webauth-phishing-01.txt |
2006-05-22
|
00 | (System) | New version available: draft-hartman-webauth-phishing-00.txt |