RE: [dix] Agenda bashing

> From: Eric Rescorla [mailto:ekr@networkresonance.com] 

> That's *one* way to attack phishing (at least the current form).
> There are others (cf. PwdHash)

There are three basic approaches to defeat phishing.

Phishing is an ATTACK where SOCIAL ENGINEERING designed to STEAL CREDENTIALS

1) Defeat the infrastructure of a specific attack
	Here we have takedown services such as the VeriSign Anti-Phishing solution, filtering of the phishing spam, blocking known phishing capture sites, Fraud detection services &ct.

2) Defeat the social engineering attack using strong outbound authentication
	This is the principle purpose of Secure Internet Letterhead: Use the PKIX logotype extension in an EV X.509 certificate to provide a trustworthy proof of legitimate use of the subject brand. Letterhead may be used in conjunction with DKIM or S/MIME to provide trustworthy proof of origin in the email channel or with SSL to provide trustworthy proof of origin in the Web.

3) Defeat the theft of the credentials by making the credentials theft resistant.
	The OATH consortium is working to provide an open, unencumbered standard for strong authentication whether OTP or PKI based. The algorithms for the OTP version have already been issued as informational RFCs. Other necessary infrastructure is being built out.

WAE does not fit into 1 or 2 and it does not directly address 3. 

Where WAE fits in is that it facilitates the infrastructure changes necessary to make widespread deployment of #3 solutions possible. 

With WAE I can in theory go down to Frys, buy a token and then use it to secure access to my bank account without the bank needing to support my specific token technology. All they need to know is that I am using something better than username and password and that the authentication service provider will provide an acceptable SLA.

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix