IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

Stephen Kent <kent@bbn.com> Tue, 03 March 2009 00:24 UTC

Return-Path: <kent@bbn.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0C6428C265 for <saag@core3.amsl.com>; Mon, 2 Mar 2009 16:24:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[AWL=0.508, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lq594Ajv4itH for <saag@core3.amsl.com>; Mon, 2 Mar 2009 16:24:13 -0800 (PST)
Received: from mx3.bbn.com (mx3.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id EFBC83A67E6 for <saag@ietf.org>; Mon, 2 Mar 2009 16:22:58 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[10.71.0.151]) by mx3.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1LeIPr-0006Ab-C5; Mon, 02 Mar 2009 19:23:24 -0500
Mime-Version: 1.0
Message-Id: <p06240803c5d20710d8d3@[128.89.89.88]>
In-Reply-To: <20090302181657.GV9992@Sun.COM>
References: <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost> <20090226165448.GK9992@Sun.COM> <20090227022359.8D45150822@romeo.rtfm.com> <20090302161134.GG9992@Sun.COM> <20090302172135.DA43650822@romeo.rtfm.com> <20090302171122.GM9992@Sun.COM> <20090302181143.2B7B550822@romeo.rtfm.com> <20090302181657.GV9992@Sun.COM>
Date: Mon, 02 Mar 2009 17:02:13 -0500
To: Nicolas Williams <Nicolas.Williams@sun.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2009 00:24:14 -0000

At 12:16 PM -0600 3/2/09, Nicolas Williams wrote:
>On Mon, Mar 02, 2009 at 10:11:43AM -0800, Eric Rescorla wrote:
>>  And the attacker will just pop up a dialog that says "our cool new UI
>>  system is broken. Type your password into the form for now." This is
>>  quite clear from [SDO+07].
>
>Clearly.  Eventually this would no longer be true -- but we'll never get
>there if we don't provide any mechanisms that can overcome this.
>Certificates won't do because passwords remain, and will remain the
>lowest common denominator for a long time.
>
>Unless small, portable devices with UIs (mobile phones!) become so
>ubiquitous (they're getting there) that they are as portable and ever
>present as passwords.  But I suspect the same will apply to that
>alternative: it will be years before we stop relying on passwords.

Not only does one need to carry a mobile phone everywhere to login, 
one also has to have an essentially free SMS service to avoid paying 
a phone service provider for authentication messages. The same 
requirement would apply to the sites that need to use SMS to send and 
receive these messages.

Steve

v2.23.0 | Report a Bug | By Email