Re: [dix] Agenda bashing
Eric Rescorla <ekr@networkresonance.com> Wed, 05 July 2006 23:07 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyGSZ-0005Pd-Hc; Wed, 05 Jul 2006 19:07:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyGSZ-0005PY-1h for dix@ietf.org; Wed, 05 Jul 2006 19:07:07 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FyGSW-0001Yj-Lq for dix@ietf.org; Wed, 05 Jul 2006 19:07:07 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id BE3F31E8C1F; Wed, 5 Jul 2006 16:07:03 -0700 (PDT)
To: thayes0993@aol.com
Subject: Re: [dix] Agenda bashing
References: <20060703172550.A182A222425@laser.networkresonance.com> <44A973DC.9040801@cisco.com> <86zmfqa0au.fsf@raman.networkresonance.com> <8C86E9E37E4BD3C-1288-2A5B@FWM-D05.sysops.aol.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Wed, 05 Jul 2006 16:07:03 -0700
In-Reply-To: <8C86E9E37E4BD3C-1288-2A5B@FWM-D05.sysops.aol.com> (thayes's message of "Wed, 05 Jul 2006 19:02:26 -0400")
Message-ID: <86u05virc8.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Cc: dix@ietf.org
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>, Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
thayes0993@aol.com writes: > I believe that PwdHash does rely on a certain level of proof of the > server's identity. The browser needs to decide that > the domain name that the server is presenting actually belongs to it. > This is usually done by relying on SSL/TLS. > If the false server can convince the browser that it is in fact the > targeted domain, then the browser will happily > transmit the full credential (H(password, domain)) to the server. > > PwdHash does NOT require that the proved domain match anything the > user has in mind. That is, the identity > does not need to be presented to the user, or compared against > anything the user is doing. This seems to be the > primary problem in phishing attacks (the last foot). That's where the > real advantage of techniques like PwdHash are. I think this is a fair summary. -Ekr > -----Original Message----- > From: Eric Rescorla <ekr@networkresonance.com> > To: Digital Identity Exchange <dix@ietf.org> > Sent: Mon, 3 Jul 2006 13:41:29 -0700 > Subject: Re: [dix] Agenda bashing > > Eliot Lear <lear@cisco.com> writes: > >> but I claim that the most *effective* way to prevent >> phishing is to demand that the server prove its identity enough to > know >> the right question to ask of the client. If PwdHash covers this > ground, >> then we agree. > > It doesn't. It uses an entirely different technique. > > > > _______________________________________________ > dix mailing list > dix@ietf.org > https://www1.ietf.org/mailman/listinfo/dix > > > ________________________________________________________________________ > Check out AOL.com today. Breaking news, video search, pictures, email > and IM. All on demand. Always Free. _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- Re: [dix] Agenda bashing Eliot Lear
- [dix] Agenda bashing Pete Resnick
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- RE: [dix] Agenda bashing Hallam-Baker, Phillip
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Pete Resnick
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Haripriya S
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing thayes0993
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Ben Laurie
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- RE: [dix] Agenda bashing Hallam-Baker, Phillip
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re[2]: [dix] Agenda bashing Chris Drake