[Lakshminath Dondeti] Nomcom 2007-8: Nominations Close on Sep 10, 2007

Folks, I think it is important to our process that nomcom have a strong set of candidates.
I'd appreciate it if you would take the time Monday to look over the people you think contribute to the
security area and nominate those who you think would make a good AD.

--Sam

WGchairs, IESG and IAB members

Please forward this request to the lists you manage and request feedback 
and nominations.

All,

Here is the link to nominate: 
https://tools.ietf.org/group/nomcom/07/nominate

You may also send nominations or comments via email to nomcom07 <at> ietf.org 
or ldondeti <at> qualcomm.com.

We have received very few nominations (1, 2, 2, 2, 3, 4, 8, 8, 19) and 

Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

This message is trying to summarize recent discussions on 
draft-hartman-webauth-phishing-05.txt.

Several people voiced their support for the document (on IETF mailing 
list and in various other off-list discussions). Ekr doesn't think that 
the document should be published in the current form and he has some 
good technical points that need to be addressed. At least one more 
revision is needed to addressed recent comments from Ekr and SecDir review.

It is quite clear that some people got confused about intended status of 
this document and whether it represents IETF consensus. Sam has 
clarified what was his intention, but another consensus call is needed 
to make sure people agree with Sam.

Subsequent discussions and consensus calls on the document would happen 
on <ietf-http-auth <at> osafoundation.org>.

Alexey,
in my capacity of shepherd for draft-hartman-webauth-phishing

Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

Alexey wrote:
> This message is trying to summarize recent discussions on 
> draft-hartman-webauth-phishing-05.txt.
> 
> Several people voiced their support for the document (on IETF mailing 
> list and in various other off-list discussions). Ekr doesn't think that 
> the document should be published in the current form and he has some 
> good technical points that need to be addressed. At least one more 
> revision is needed to addressed recent comments from Ekr and SecDir review.
> 
> It is quite clear that some people got confused about intended status of 
> this document and whether it represents IETF consensus. Sam has 
> clarified what was his intention, but another consensus call is needed 
> to make sure people agree with Sam.
> 
> Subsequent discussions and consensus calls on the document would happen 
> on <ietf-http-auth <at> osafoundation.org>.
> 
> Alexey,
> in my capacity of shepherd for draft-hartman-webauth-phishing

I object to this procedure.

This document has already had an IETF Last Call, where it failed to
achieve consensus. At this point, it doesn't need additional last
calls to "make sure that people agree with Sam", but rather to go back
to the authors to try to build support in the community. Not liking
the result of the previous Last Call is not a sufficient basis for
issuing another one.

Re: [saag] [Ietf-http-auth] Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

> I object to this procedure.
> 
> This document has already had an IETF Last Call, where it failed to
> achieve consensus. At this point, it doesn't need additional last
> calls to "make sure that people agree with Sam", but rather to go back
> to the authors to try to build support in the community. Not liking
> the result of the previous Last Call is not a sufficient basis for
> issuing another one.
> 
> At some point in the future, it may be appropriate to issue another
> consensus call, but since this is not a WG mailing list--indeed, the
> IESG has twice declined to charter a WG in this area--nor are you the
> chair, it doesn't seem to me that you have standing to do that. When
> that time comes, I would expect the IESG to designate an appropriate
> time and place.

I agree with EKR here.  Failed consensus is failed consensus.  RFC 2026 
does not support the process that has been recommended here. 

_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Ietf-http-auth] Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

Eric Rescorla wrote:

>Alexey wrote:
>  
>
>>This message is trying to summarize recent discussions on 
>>draft-hartman-webauth-phishing-05.txt.
>>
>>Several people voiced their support for the document (on IETF mailing 
>>list and in various other off-list discussions). Ekr doesn't think that 
>>the document should be published in the current form and he has some 
>>good technical points that need to be addressed. At least one more 
>>revision is needed to addressed recent comments from Ekr and SecDir review.
>>
>>It is quite clear that some people got confused about intended status of 
>>this document and whether it represents IETF consensus. Sam has 
>>clarified what was his intention, but another consensus call is needed 
>>to make sure people agree with Sam.
>>
>>Subsequent discussions and consensus calls on the document would happen 
>>on <ietf-http-auth <at> osafoundation.org>.
>>
>>Alexey,
>>in my capacity of shepherd for draft-hartman-webauth-phishing
>>    
>>
>I object to this procedure.
>
>This document has already had an IETF Last Call, where it failed to
>achieve consensus.

Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

On 8-sep-2007, at 20:09, Alexey Melnikov wrote:

> This message is trying to summarize recent discussions on draft- 
> hartman-webauth-phishing-05.txt.

> Several people voiced their support for the document (on IETF  
> mailing list and in various other off-list discussions). Ekr  
> doesn't think that the document should be published in the current  
> form and he has some good technical points that need to be  
> addressed. At least one more revision is needed to addressed recent  
> comments from Ekr and SecDir review.

Here's an outsider review.

What's an Ekr, btw?

I really dislike the use of "fishing" with creative spelling in a  
document prepared for an international standards organization. The  
world certainly doesn't need more words that sound the same and  
differ in meaning only by the way they're written, and I'm not sure  
how prevalent this terminology is outside the US and/or the English  
speaking world. Please come up with something more descriptive.

During the reading of this document, it occurred to me that HTTP  
digest authentication (RFC 2617) rather than the widely used practice  
of having security credentials be typed into an HTTP form would  
achieve 90% of the requirements all by itself. (More or less the same  
thing for S/MIME in mail.) The main part that's missing there is  
protection against a man in the middle. Obviously TLS goes through  
great pains to avoid men in the middle, but the document has no  

Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

On Sep 9, 2007, at 5:37 PM, Iljitsch van Beijnum wrote:

> On 8-sep-2007, at 20:09, Alexey Melnikov wrote:
>
>> This message is trying to summarize recent discussions on draft- 
>> hartman-webauth-phishing-05.txt.
>
>> Several people voiced their support for the document (on IETF  
>> mailing list and in various other off-list discussions). Ekr  
>> doesn't think that the document should be published in the current  
>> form and he has some good technical points that need to be  
>> addressed. At least one more revision is needed to addressed  
>> recent comments from Ekr and SecDir review.
>
> Here's an outsider review.
>
> What's an Ekr, btw?
>
> I really dislike the use of "fishing" with creative spelling in a  
> document prepared for an international standards organization. The  
> world certainly doesn't need more words that sound the same and  
> differ in meaning only by the way they're written, and I'm not sure  
> how prevalent this terminology is outside the US and/or the English  
> speaking world. Please come up with something more descriptive.

I tend to rely on Dictionaries to sort these things out - from  
Dictionary.com

-----

Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

On 10-sep-2007, at 0:51, Marshall Eubanks wrote:

> I tend to rely on Dictionaries to sort these things out - from  
> Dictionary.com

Dictionaries are useless, when in doubt they just add definitions.  
For instance, try figuring out how many bytes there are in a megabyte  
from a few dictionaries.

_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

On Mon, Sep 10, 2007 at 01:21:00AM +0200, Iljitsch van Beijnum wrote:
> On 10-sep-2007, at 0:51, Marshall Eubanks wrote:
> 
> >I tend to rely on Dictionaries to sort these things out - from  
> >Dictionary.com
> 
> Dictionaries are useless, when in doubt they just add definitions.  
> For instance, try figuring out how many bytes there are in a megabyte  
> from a few dictionaries.
> 

`When I use a word,' Humpty Dumpty said, in rather a scornful tone, 
`it means just what I choose it to mean -- neither more nor less.'

 
--bill

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt)

> From: Iljitsch van Beijnum [mailto:iljitsch <at> muada.com] 

> During the reading of this document, it occurred to me that 
> HTTP digest authentication (RFC 2617) rather than the widely 
> used practice of having security credentials be typed into an 
> HTTP form would achieve 90% of the requirements all by 
> itself. 

Well maybe if people had listened to me then 

But at this point fifteen years later Digest is not the way to go. First Digest was designed under the express
constraint of avoiding patent encumberances. RSA and D-H were both off the table at the time.

If I was to redo Digest today or expand its scope I would do it differently. The main reason I would not is that
SAML and WS-* both provide an excellent solution. I very much like and support the Cardspace idea of
building into the O/S platform. I very much like the OpenID concept of making the barrier to entry very low.
I would like to arrive at a happy combination of the existing proposals not see more proposals put on the
table at this point.