Requirements for Web Authentication Resistant to Phishing
draft-hartman-webauth-phishing-09

By the time this draft got to IESG Evaluation, it became clear to me, the author and the shepherd (Alexey Melnikov), that another revision and more community input would be a very good thing.  Alexey has volunteered to help drive that and evaluate informal consensus as a 3rd party, and is doing so on the ietf-http-auth list.

[Ballot discuss]
This might be redundant with Cullen's discuss, but...

To me this document addresses a very important issue. However, it also seems clear from the related email discussion that this document does not represent IETF consensus. Given that this is coming from a security AD, I think that the "General's dilema" (ie, the danger of the document being interpreted as being more normative than it is intended to be) is particularly important to avoid in this case.

Therefore I think that we need to add some sort of warning to the extent that this document is an individual submission that is intended to help to encourage progress on dealing with phishing attacks, but that this does not represent IETF consensus at this time, and that this does not set requirements for future work. We might also want to take a close look at the document regarding whether "requirement" should be "recommendation" in some or all cases.

[Ballot discuss]
This might be redundant with Cullen's discuss, but...

To me this document addresses a very important issue. However, it also seems clear from the related email discussion that this document does not represent IETF consensus. Given that this is coming from a security AD, I think that the "General's dilema" (ie, the danger of the document being interpreted as being more normative than it is intended to be) is particularly important to avoid in this case.

Therefore I think that we need to add some sort of warning to the extent that this document is an individual submission that is intended to help to encourage progress on dealing with phishing attacks, but that this does not represent IETF consensus at this time, and that this does not set requirements for future work. We might also want to take a close look at the document regarding whether "requirement" should be "recommendation" in some or all cases.

[Ballot comment]
I am voting yes because I feel strongly the IETF needs to publish and
approve a document like this and do so relatively soon to take a step
forward in this area.  I have spoken to some reviewers in the
applications area who were pleasantly surprised after reading this
document and found it clear and valuable.  I am seeing an emerging
rough consensus in the intersection between application and security
areas to do real work on this topic.  Getting a minimalist requirements
document done might allow that effort to skip the time-wasting
requirements gathering phase and move on to evaluation of real protocol
work that will draw in the appropriate technical experts and would thus
be good for the IETF in general.

This document needs a revision to address the changes Sam wants to make
based on Eric's review, Russ's comments and the issues Christian Vogt
raised.  I trust Jari to hold his discuss for that revision.

It is my educated guess there is rough consensus in the IETF to publish
this document.  However, additional work to document that rough
consensus would be helpful given the strength of the two last call
objections.  I trust Cullen to hold his discuss awaiting such evidence.

[Ballot comment]
I am voting "no-objetion" with some reservations about whether we really have community consensus. At least two people have voiced strong objections to the publication of this document. Another has suggested that individual submission is not the appropriate mechanism to tackle such an important topic.

[Ballot discuss]
This is a discuss Discuss.

My view of this whole thread on this document is that the key question is simple: Is there consensus for this document or not? In the past, we have treated documents where at least one or two people thought it was a good idea and no one objected as having consensus. This document is a bit different because at least a couple people seem to think this document should not be published as is. It's very unclear to me how many people do or do not think this should be published and makes it hard for me to try and decide if their is consensus.

[Ballot comment]
Christian Vogt's review:

This document provides guidance on designing secure authentication mechanisms
for Web services.  The goal is to replace HTML-form- and password-based
mechanisms that are commonly used today.  The document is a valuable step
forward in the combat against phishing.  However, below are a few issues that
Sam might want to address before this documents becomes RFC.

Section 3.1 (Capabilities of Attackers):

The 1st paragraph lists mechanisms by which an attacker can trick a victim user
into accepting a spoofed Web site.  One of them is "on-path network attacks".  I
am unsure what is meant by this.  It could refer to attacks on DNS, but those
attacks are listed separately.  It could also refer to MiTM attacks on TLS
connection establishment, but it is assumed that certificates are available.  In
consequence, I would assume that it refers to the process of obtaining a
certificate.  But this is unclear and should be clarified.

Section 3.1 (Capabilities of Attackers):

The 2nd paragraph of section 3.1 describes which components of a UI an attacker
might be able to forge.  The text differentiates between components that are
based on special knowledge about the user (such as an account balance or
transaction history), and components that do not require such knowledge (such as
a loginpage).  What I am missing here is some thoughts on how far forgery of the
latter type of component could enable forgery of the former type.

Reusing the examples in parentheses, an attacker might be able to trick a victim
user into providing a password via a spoofed login page, and then retrieve the
user's current account balance and transaction history from the legitimate site
in order to subsequently print it on another spoofed page.

Section 4.3 (No Password Equivalents):

The terms "strong/weak password equivalence" seem to be used differently in this
document than in [draft-iab-auth-mech], which is uses as a reference in this
document.  In [draft-iab-auth-mech], the terms are used to describe a dependency
between login credentials for different systems, while in this document, they
are used for the data exchanged between an authenticator and an authenticatee.

Section 8 (Security Considerations):

Paragraph 5 mixes two issues:

  (i)  Web sites using both the proposed authentication mechanism and
      a legacy, HTML-based mechanism for backwards compatibility

  (ii) users who take the same password for Web sites with the proposed
      authentication mechanism and Web sites with a legacy
      authentication mechanism

These two issues are orthogonal and should be separated.

While the document suggests a solution for issue (ii) -- which calls for users
not to use the same password for different Web sites --, there is no suggested
solution for issue (i).  One possible solution could be provide a mechanism by
which users can disable access through legacy authentication mechanisms.
Re-enabling access for legacy authentication mechanisms could be accomplished
only through the proposed authentication mechanism.  Maybe Sam wants
to add this to his draft...

Editorial:

- General

    Abbreviation "UI" is never spelled out.  I'd recommend spelling
    it out everywhere.

- Abstract

    s/providers and users and for /providers and users, and/

    s/These requirements may serve/These requirements may also serve/ ?

- Section 4.1

    s/Passwords and OTher Methods/Passwords and Other Methods/

    s/do not have smart cards/do not have smart card readers/

    s/access to other resources may/access to other resources--may/

- Section 4.2

    s/security community has/security community has done/

- Section 4.3

    s/No Password EquivelentsN/o Password Equivalents/

- Section 4.6

    s/the the/the/

[Ballot comment]
Section 3 says:
  >
  > Similarly in a system that used smart cards, the smart cards would
  > need to be trusted not to give attackers access to private keys or
  > other authentication material.
  >
  This should accomodate other authentication tokens too.  I suggest:
  >
  > Similarly in a system that uses smart cards or other authentication
  > tokens, the token needs to be trusted not to give attackers access
  > to private keys or other authentication material.

  Section 4.1 says:
  >
  > Carrying a smart card or USB token ...
  >
  To match above, I suggest:
  >
  > Carrying a smart card or other authentication token ...
  >
  Then, the reaining text in Section 4.1 should be revised to talk about
  authentication tokens in general.  Most is unnecessarily specific to
  smart cards.

  I think the Security Considerations should say someting about DNS,
  especially in the context of the RFC 2818 checking.

PROTO writeup

  (1.a)  Who is the Document Shepherd for this document?  Has the
        Document Shepherd personally reviewed this version of the
        document and, in particular, does he or she believe this
        version is ready for forwarding to the IESG for publication?

Alexey Melnikov  is the document shepherd for this document.
The document is ready for publication.

  (1.b)  Has the document had adequate review both from key WG members
        and from key non-WG members?  Does the Document Shepherd have
        any concerns about the depth or breadth of the reviews that
        have been performed?

This document was reviewed by Eliot Lear and several Security Area participants.
So there are no concerns about the depth of the reviews.

  (1.c)  Does the Document Shepherd have concerns that the document
        needs more review from a particular or broader perspective,
        e.g., security, operational complexity, someone familiar with
        AAA, internationalization or XML?

No concerns.

  (1.d)  Does the Document Shepherd have any specific concerns or
        issues with this document that the Responsible Area Director
        and/or the IESG should be aware of?  For example, perhaps he
        or she is uncomfortable with certain parts of the  document, or
        has concerns whether there really is a need for it.  In any
        event, if the WG has discussed those issues and has indicated
        that it still wishes to advance the document, detail those
        concerns here.  Has an IPR disclosure related to this  document
        been filed?  If so, please include a reference to the
        disclosure and summarize the WG discussion and conclusion on
        this issue.

No specific concerns. No IPR disclosure was filed for this document.

  (1.e)  How solid is the WG consensus behind this document?  Does it
        represent the strong concurrence of a few individuals, with
        others being silent, or does the WG as a whole understand and
        agree with it?

This document is an individual submission.

  (1.f)  Has anyone threatened an appeal or otherwise indicated  extreme
        discontent?  If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director.  (It
        should be in a separate email because this questionnaire is
        entered into the ID Tracker.)
No.

  (1.g)  Has the Document Shepherd personally verified that the
        document satisfies all ID nits?  (See
        http://www.ietf.org/ID-Checklist.html and
        http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
        not enough; this check needs to be thorough.  Has the  document
        met all formal review criteria it needs to, such as the MIB
        Doctor, media type and URI type reviews?

IDnits 2.04.12 was used to verify the document. It reports 2 warnings about references to older versions of drafts, which can be fixed by the RFC editor.

  (1.h)  Has the document split its references into normative and
        informative?  Are there normative references to documents  that
        are not ready for advancement or are otherwise in an unclear
        state?  If such normative references exist, what is the
        strategy for their completion?  Are there normative  references
        that are downward references, as described in [RFC3967]?  If
        so, list these downward references to support the Area
        Director in the Last Call procedure for them [RFC3967].

Yes, references are properly split. There are no downward normative references.
The document has 3 informative references to drafts.

  (1.i)  Has the Document Shepherd verified that the document IANA
        consideration section exists and is consistent with the body
        of the document?  If the document specifies protocol
        extensions, are reservations requested in appropriate IANA
        registries?  Are the IANA registries clearly identified?  If
        the document creates a new registry, does it define the
        proposed initial contents of the registry and an allocation
        procedure for future registrations?  Does it suggest a
        reasonable name for the new registry?  See [RFC2434].  If the
        document describes an Expert Review process has Shepherd
        conferred with the Responsible Area Director so that the IESG
        can appoint the needed Expert during the IESG Evaluation?

IANA considerations section exists and it requires no actions from IANA.

  (1.j)  Has the Document Shepherd verified that sections of the
        document that are written in a formal language, such as XML
        code, BNF rules, MIB definitions, etc., validate correctly in
        an automated checker?

The document doesn't have any ABNF, MIB, etc.

  (1.k)  The IESG approval announcement includes a Document
        Announcement Write-Up.  Please provide such a Document
        Announcement Write-Up?  Recent examples can be found in the
        "Action" announcements for approved documents.  The approval
        announcement contains the following sections:

        Technical Summary
            Relevant content can frequently be found in the abstract
            and/or introduction of the document.  If not, this may be
            an indication that there are deficiencies in the abstract
            or introduction.

  This memo proposes requirements for protocols between web identity
  providers and users and for requirements for protocols between
  identity providers and relying parties. These requirements minimize
  the likelihood that criminals will be able to gain the credentials
  necessary to impersonate a user or be able to fraudulently convince
  users to disclose personal information. To meet these requirements
  browsers must change. Websites must never receive information such
  as passwords that can be used to impersonate the user to third
  parties. Browsers should perform mutual authentication and flag
  situations when the target website is not authorized to accept the
  identity being offered as this is a strong indication of fraud.

  This document is targeted to become an Informational RFC.

        Working Group Summary
            Was there anything in WG process that is worth noting?  For
            example, was there controversy about particular points or
            were there decisions where the consensus was particularly
            rough?

This is an individual submission.

Some reviewers have suggested that the documents can apply to environments other then web.
The author thought that it would be better to concentrate on web and do a separate document
for other environments later.

There were some disagreements between the author and reviewers on whether it is practical to
require support for non password based authentication mechanisms. The author changed
the document to require support for non password based mechanisms.

        Document Quality
            Are there existing implementations of the protocol?  Have a
            significant number of vendors indicated their plan to
            implement the specification?  Are there any reviewers that
            merit special mention as having done a thorough review,
            e.g., one that resulted in important changes or a
            conclusion that the document had no substantive  issues?  If
            there was a MIB Doctor, Media Type or other expert review,
            what was its course (briefly)?  In the case of a Media  Type
            review, on what date was the request posted?

At least 4 have reviewed the document. Posted comments were addressed in the latest revision.

        Personnel
            Who is the Document Shepherd for this document?  Who is  the
            Responsible Area Director?

Alexey Melnikov  is the document shepherd for this document.
Lisa Dusseault is the responsible Area Director.