Re[2]: [dix] Agenda bashing
Chris Drake <christopher@pobox.com> Wed, 20 June 2007 14:28 UTC
Return-path: <dix-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I11AY-0001p6-P4; Wed, 20 Jun 2007 10:28:26 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I11AY-0001oy-4O for dix@ietf.org; Wed, 20 Jun 2007 10:28:26 -0400
Received: from smtp.senderpays.com ([208.185.247.233] helo=srve-v64.srve.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I11AW-0002Zl-Mx for dix@ietf.org; Wed, 20 Jun 2007 10:28:26 -0400
Received: from localhost (www.hunneypocketed.emsvr.com [203.206.137.129] (may be forged)) (authenticated bits=0) by srve-v64.srve.com (8.13.8/8.13.8/CWT/DCE) with ESMTP id l5KESLi1026198 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <dix@ietf.org>; Wed, 20 Jun 2007 14:28:24 GMT
Date: Thu, 21 Jun 2007 00:28:24 +1000
From: Chris Drake <christopher@pobox.com>
X-Priority: 3 (Normal)
Message-ID: <726356053.20070621002824@pobox.com>
To: Digital Identity Exchange <dix@ietf.org>
Subject: Re[2]: [dix] Agenda bashing
In-Reply-To: <44ACA9CF.7090605@cisco.com>
References: <20060703172550.A182A222425@laser.networkresonance.com> <44A973DC.9040801@cisco.com> <86zmfqa0au.fsf@raman.networkresonance.com> <8C86E9E37E4BD3C-1288-2A5B@FWM-D05.sysops.aol.com> <44ACA9CF.7090605@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.2 (+)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
Hi Eliot, It's actually possible to get your secure opaque channel without smart cards. Merely some nifty graphics, HTML, and shared secrets (traditional meaning) are one implementation, while non-smart tokens are another (eg: printed or electronic tokens) Servers can't communicate "securely" unless something is able to "authenticate" the *server* before it is allowed to authenticate the user. Smart cards and PwdHash don't/can't do this, at least not without extra hardware at the client, which almost nobody has of course. Kind Regards, Chris Drake Thursday, July 6, 2006, 4:12:31 PM, you wrote: EL> thayes0993@aol.com wrote: >> I believe that PwdHash does rely on a certain level of proof of the >> server's identity. The browser needs to decide that >> the domain name that the server is presenting actually belongs to it. >> This is usually done by relying on SSL/TLS. >> If the false server can convince the browser that it is in fact the >> targeted domain, then the browser will happily >> transmit the full credential (H(password, domain)) to the server. >> >> PwdHash does NOT require that the proved domain match anything the >> user has in mind. That is, the identity >> does not need to be presented to the user, or compared against >> anything the user is doing. This seems to be the >> primary problem in phishing attacks (the last foot). That's where the >> real advantage of techniques like PwdHash are. EL> Pretty neat. There are two problems that still really need to be EL> addressed. The first is that you need to manage a transition. It must EL> be clearly visible to the user when PwdHash is used and when it is not. EL> Otherwise someone just phishes the original password and that's the ball EL> game. EL> Second, PwdHash still relies on the underlying security of the user's EL> computer. I don't know about you but that is a goal I would like to EL> address. I want a means to have a secure opaque channel of EL> communication between the server and the smart card. That's what I'm EL> looking for from the IETF. EL> Eliot EL> _______________________________________________ EL> dix mailing list EL> dix@ietf.org EL> https://www1.ietf.org/mailman/listinfo/dix _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- Re: [dix] Agenda bashing Eliot Lear
- [dix] Agenda bashing Pete Resnick
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- RE: [dix] Agenda bashing Hallam-Baker, Phillip
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Pete Resnick
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Haripriya S
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing thayes0993
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Ben Laurie
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- RE: [dix] Agenda bashing Hallam-Baker, Phillip
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re[2]: [dix] Agenda bashing Chris Drake