IETF Logo Mail Archive

Re: [dix] Agenda bashing

Eric Rescorla <ekr@networkresonance.com> Fri, 07 July 2006 07:19 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fykcl-0007SY-Dp; Fri, 07 Jul 2006 03:19:39 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fykck-0007SS-MA for dix@ietf.org; Fri, 07 Jul 2006 03:19:38 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FyjIr-0002Lb-J6 for dix@ietf.org; Fri, 07 Jul 2006 01:55:01 -0400
Received: from laser.networkresonance.com ([198.144.196.2]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FyiuC-0003BC-Oa for dix@ietf.org; Fri, 07 Jul 2006 01:29:33 -0400
Received: from networkresonance.com (raman.networkresonance.com [198.144.196.3]) by laser.networkresonance.com (Postfix) with ESMTP id 57E01222426; Thu, 6 Jul 2006 22:37:32 -0700 (PDT)
To: Eliot Lear <lear@cisco.com>
Subject: Re: [dix] Agenda bashing
In-reply-to: Your message of "Fri, 07 Jul 2006 04:36:39 +0200." <44ADC8B7.2060605@cisco.com>
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 19)
Date: Thu, 06 Jul 2006 22:29:23 -0700
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20060707053732.57E01222426@laser.networkresonance.com>
X-Spam-Score: -2.4 (--)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
Cc: Digital Identity Exchange <dix@ietf.org>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

Eliot Lear <lear@cisco.com> wrote:
> Eric Rescorla wrote:
> That the password is at all related to the hash result at all is an
> (IMHO) unnecessary risk that would in our scenarios impact more than a
> single service.  There exists methods where this is NOT the case.

Yes, there do. But they all involve lugging some object around,
in which case the problem becomes vastly easier. We need 
a system which doesn't require a token.


> >> It remains up to the end server as to what
> >> transactions might require additional authentication.  So for instance,
> >> a bank may choose to authenticate on new payees for online billing or
> >> for particularly large transactions.  Or not.
> >>     
> >
> > The problem is that this only sort-of protects you against host
> > computer compromise because the token that the user authenticates with
> > generally isn't cryptographically bound to the request the user
> > is making. This allows the crimeware to claim it's requesting
> > you to use your token for innocuous purpose X (e.g, routine
> > security check) but to actually be using it for malicious purpose
> > Y. So, it's a liveness check, but not a misuse check. See also
> > [BF99].
> >   
> Indeed if you don't trust your browser to function properly you are left
> with tradeoffs.  As we've seen even in the mobile world, a browser can
> get hacked.  But there are approaches to further reduce the risk, like
> describing the transaction on a display of the card.

Yes. The reference I provided was to one such system.

-Ekr

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email