Re: Paper summarizing new directions in protecting web users

2006-03-08 Thread Jason Holt 


On Mon, 6 Mar 2006, Amir Herzberg wrote:


I've summarized the current directions that our group is working on
towards improving security for web users. I'll probably soon post it as
HTML, but I'm terribly busy and so far just posted it in eCrypt as PDF,
see at http://eprint.iacr.org/2006/083.pdf.

[...]

Amir will also be appearing next month in a panel I'm moderating on the 
challenges of practical web security at NIST's PKI conference.  Some of the 
discussions I've seen on this list led to the creation of that panel -- if we 
as cryptographers sometimes have to wrangle over what's considered trustworthy 
website behavior, how are users ever supposed to cope?


The standard flyer for that conference follows:

*** NO ON-SITE REGISTRATION!  Last day to register: March 17 ***

5th Annual PKI R&D Workshop at NIST in Gaithersburg, MD
"Making Cryptography Easy to Use"
April 4-6, 2006
http://middleware.internet2.edu/pki06/

Come join with experts from NIST, NIH, private industry and universities
around the world for our fifth workshop!


Scheduled topics include:

KEYNOTE ADDRESS
HAS JOHNNY LEARNT TO ENCRYPT BY NOW? Examining the troubled relationship
between a security solution and its users
Angela Sasse, University College London

REFEREED PAPERS:
-How Trust Had a Hole Blown In It.  The Case of X.509 Name Constraints
-Navigating Revocation through Eternal Loops and Land Mines
-Simplifying Credential Management through PAM and Online Certificate
Authorities
-Identity Federation and Attribute-based Authorization through the Globus
Toolkit, Shibboleth, GridShib, and MyProxy
-PKI Interoperability by an Independent, Trusted Validation Authority
-Achieving Email Security Usability
-CAUDIT PKI Federation - A Higher Education Sector Wide Approach

INVITED TALKS:
-NIST Cryptographic Standards Status Report, Bill Burr, NIST
-Trust Infrastructure and DNSSEC Deployment, Allison Mankin, Consultant
-Integrating PKI and Kerberos, Jeffrey Altman, Secure Endpoints Inc.
-Enabling Revocation for Billions of Consumers, Kelvin Yiu, Microsoft

PANELS:
- Digital Signatures (Moderator: David Chadwick, University of Kent)
- Domain Keys Identified Mail (DKIM) (Moderator:  Barry Leiba, IBM)
- Browser Security User Interfaces: Why are web security decisions hard and
what can we do about it?
  (Moderator:  Jason Holt, Brigham Young University)
- Federal PKI Update (Moderator - Peter Alterman, National Institutes of
Health)
- Bridge-to-Bridge Interoperations (Moderator - Peter Alterman, National
Institutes of  Health)

WORKS IN PROGRESS (WIP)  (Contact Krishna Sankar ([EMAIL PROTECTED]) if you
have additional WIP topics)
Potential topics:
-  CNRI handle system (brief overview)
-  International Grid Trust Federation

Complete agenda is available at http://middleware.internet2.edu/pki06/



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Paper summarizing new directions in protecting web users

2006-03-08 Thread Amir Herzberg 

I've summarized the current directions that our group is working on
towards improving security for web users. I'll probably soon post it as
HTML, but I'm terribly busy and so far just posted it in eCrypt as PDF,
see at http://eprint.iacr.org/2006/083.pdf.

We hope to soon be able to provide more details and working extension(s)
implementing these ideas - we are working on these. We would love your
feedback, and look forward to cooperate with _any_ browser vendor, or
security company (anti-virus, CA, etc.) that is interested in pursuing
these exciting opportunities.

Abstract. We describe the current state of web security, and identify
the main problems. We then present proposals for improvements,
including: secure site identification widget; secure and convenient
`single click logon`; improved validation certificates; and using
public-key signatures and automated resolutions and penalties, to defend
against malicious content including malware.

I'll appreciate your comments, suggestions and corrections.

BTW: I'll be in NYC all of next week, for the W3C Workshop on
Transparency and Usability of Web Authentication; in particular I'll
visit (and present) in Columbia univ. this Friday and in IBM Watson on
next Tuesday - so if any of you are around, I'll love to see you.
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]