I have been selected as the General Area Review Team (Gen-ART) reviewer
for this draft (for background on Gen-ART, please see
http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-hartman-webauth-phishing-03.txt
Reviewer: Brian Carpenter
Review Date:  2007-05-29
IETF LC End Date: 2007-06-20
IESG Telechat date: (if known)

Summary: This draft is basically ready for publication but the reviewer 
has minor comments.

Comments:

This seems to be an essential draft. It will need to result in concrete
implementable specifications to actually influence browser and server
implementors. I think limiting the scope to HTTP is reasonable from
a pragmatic point of view, although I agree with Eliot Lear's
implication that a modular solution that could be applied elsewhere
would be ideal.

I have seen Eliot Lear's comment that "your assumption that the 
computer is secure is a bad one." However, I cannot see any way to
avoid this assumption. Perhaps it should be stated more crisply: if
the system hosting the UI has been compromised, then the UI cannot
be trusted. (That raises the question whether the UI in a web cafe
can *ever* be trusted.)

A related question on section 5 or the Security Considerations: isn't 
it also the case that the model trusts DNS? If DNS has been forged,
the user might mistakenly trust the wrong server and its certificate.