Of late, I've been spending a lot of time at work thinking about web authentication. My boss accidentally assigned me the task of fixing the web. He set out a list of requirements that were impossible given current browsers and protocols. I told him this. He asked when I was going to fix things and sort of hinted that I should start this summer. One thing led to another and I've been putting together a proposal to solve a subset of the web single -sign-on problem and the phishing problem. There is a lot of work in this space and it is more politics than technology. Here is a talk I gave on the basic idea; a draft on the proposal; and a draft on requirements for avoiding phishing attacks. I think the phishing requirements may be the most lasting contribution to the ongoing work. I need to revise them over the weekend. If I am successful in integrating my thoughts over the last two weeks into the document, I will be rather proud of the result.