security
James A. Donald
jamesd at echeque.com
Sun Oct 22 23:54:43 UTC 2006
Dick Hardt wrote:
> Hans has written a security profile proposal so that
> an RP would be able to decide if an IdP supported a
> level of security appropriate for a transaction.
Too damn many options for the end user to track - so the
end user will not track them. End users are hopelessly
overloaded with security issues, and so cannot pay
attention.
Make it one mode and that mode secure. Let us not have
another repeat of the phishing crisis.
If something is wrong, the login should just not work.
No warning dialogs to click through, no "this is
security level blah, is that really what you want?" You
must write specifications for an environment where data
is hostile, where your program is interacting with very
clever people who have very bad intentions, and end
users have no spare attention to make obscure decisions
with unclear consequences.
Every additional mode is an additional problem, an
additional decision, additional user interface, which
merely trains the user to click through.
The login must work on the basis that the site and the
user are under attack, and the user is unlikely to be
paying attention. If there were no bad guys, we would
not need identification. All this software has to be
specified and written on the basis that bad guys are out
to get you.
More information about the general
mailing list