Skip to main content

Requirements for Web Authentication Resistant to Phishing
draft-hartman-webauth-phishing-09

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>
Subject: Document Action: 'Requirements for Web Authentication 
         Resistant to Phishing' to Informational RFC 

The IESG has approved the following document:

- 'Requirements for Web Authentication Resistant to Phishing '
   <draft-hartman-webauth-phishing-10.txt> as an Informational RFC

This document has been reviewed in the IETF but is not the product of an
IETF Working Group. 

The IESG contact person is Lisa Dusseault.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-hartman-webauth-phishing-10.txt

Ballot Text

Technical Summary
 
  This memo proposes requirements for protocols between web identity
  providers and users and for requirements for protocols between
  identity providers and relying parties. These requirements minimize
  the likelihood that criminals will be able to gain the credentials
  necessary to impersonate a user or be able to fraudulently convince
  users to disclose personal information. To meet these requirements
  browsers must change. Websites must never receive information such
  as passwords that can be used to impersonate the user to third
  parties. Browsers should perform mutual authentication and flag
  situations when the target website is not authorized to accept the
  identity being offered as this is a strong indication of fraud.
 
Working Group Summary
 
  This is an individual submission, based on requirements that 
  gained consensus in the WAE BOF.

  A couple of interesting discussions that came up during review
  with the following results:
   - Can the documents apply to environments other than the Web? 
     In theory, but due to author discretion and time, it does not.
   - Should non-password-based mechanisms be required?  Yes
 
Protocol Quality
 
  Lisa Dusseault reviewed this document for the IESG. Alexey Melnikov
  volunteered to shepherd and naturally reviewed the document as well.
  Other careful reviews were done on request and in IETF last call.
  PROTO writeup is preserved in tracker comments.

Note to RFC Editor
 
  The shepherd has noted two references to older versions of drafts, 
  which will need to be fixed.

IESG Note

 (Insert IESG Note here)

IANA Note

  No actions are requested of IANA.

RFC Editor Note