IETF Logo Mail Archive

Re: [dix] Agenda bashing

Eric Rescorla <ekr@networkresonance.com> Wed, 05 July 2006 23:07 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyGSZ-0005Pd-Hc; Wed, 05 Jul 2006 19:07:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyGSZ-0005PY-1h for dix@ietf.org; Wed, 05 Jul 2006 19:07:07 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FyGSW-0001Yj-Lq for dix@ietf.org; Wed, 05 Jul 2006 19:07:07 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id BE3F31E8C1F; Wed, 5 Jul 2006 16:07:03 -0700 (PDT)
To: thayes0993@aol.com
Subject: Re: [dix] Agenda bashing
References: <20060703172550.A182A222425@laser.networkresonance.com> <44A973DC.9040801@cisco.com> <86zmfqa0au.fsf@raman.networkresonance.com> <8C86E9E37E4BD3C-1288-2A5B@FWM-D05.sysops.aol.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Wed, 05 Jul 2006 16:07:03 -0700
In-Reply-To: <8C86E9E37E4BD3C-1288-2A5B@FWM-D05.sysops.aol.com> (thayes's message of "Wed, 05 Jul 2006 19:02:26 -0400")
Message-ID: <86u05virc8.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Cc: dix@ietf.org
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>, Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

thayes0993@aol.com writes:

> I believe that PwdHash does rely on a certain level of proof of the
> server's identity.  The browser needs to decide that
> the domain name that the server is presenting actually belongs to it.
> This is usually done by relying on SSL/TLS.
> If the false server can convince the browser that it is in fact the
> targeted domain, then the browser will happily
> transmit the full credential (H(password, domain)) to the server.
>
> PwdHash does NOT require that the proved domain match anything the
> user has in mind.  That is, the identity
> does not need to be presented to the user, or compared against
> anything the user is doing. This seems to be the
> primary problem in phishing attacks (the last foot).  That's where the
> real advantage of techniques like PwdHash are.

I think this is a fair summary.

-Ekr


> -----Original Message-----
> From: Eric Rescorla <ekr@networkresonance.com>
> To: Digital Identity Exchange <dix@ietf.org>
> Sent: Mon, 3 Jul 2006 13:41:29 -0700
> Subject: Re: [dix] Agenda bashing
>
>   Eliot Lear <lear@cisco.com> writes:
>
>> but I claim that the most *effective* way to prevent
>> phishing is to demand that the server prove its identity enough to
> know
>> the right question to ask of the client.  If PwdHash covers this
> ground,
>> then we agree.
>
> It doesn't. It uses an entirely different technique.
>
>
>
> _______________________________________________
> dix mailing list
> dix@ietf.org
> https://www1.ietf.org/mailman/listinfo/dix
>
>
> ________________________________________________________________________
> Check out AOL.com today. Breaking news, video search, pictures, email
> and IM. All on demand. Always Free.

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email