[Ietf-http-auth] Pondering some issues on the phishing draft

[Sam Hartman]

Hi, folks.
I wanted to let you know where I am  and to solicit some comments.

I've been pondering two big issues that came up in ekr's review.

The first is pwdhash.  Eric correctly points out that the requirements
for mutual authentication rule out pwdhash.  I don't justify this;
Eric says that's a problem and he's right.

It's a bit complicated.  I'm quite sure that pwdhash is an improvement
over what we have today.  However I'm also quite sure that it is
worthwhile to actually go as far as mutual authentication.  So, I
don't want to discourage people from deploying something like pwdhash
instead of keeping with the status quo.  But I also think it is
valuable to actually get as far as mutual authentication.  I think we
should recommend developing authentication systems that meet that
goal.  However I don't have a coherent justification to propose for
your review.  I need to come up with that.  I've been working on that.
I also need to work on text to make it clear that schemes like pwdhash are an improvement.

The second issue is response to whether people will actually take
advantage of UI clues.  I'm also pondering what to say here.