Using crypto against Phishing, Spoofing and Spamming...
Anne & Lynn Wheeler
lynn at garlic.com
Thu Jul 15 11:06:42 EDT 2004
At 06:42 AM 7/15/2004, Rich Salz wrote:
>it wasn't a CCard transacdtion, my liability under SET was unlimited (at
>least until Congress caught up to the technology). Looking at the risk
>management aspect, SET was a big loser for the customer.
my earlier responses
http://www.garlic.com/~lynn/aadsm17.htm#53
http://www.garlic.com/~lynn/aadsm17.htm#54
i also included some discussion on it at a talk i gave on
naked keys at global grid forum conference last month,
focusing on business issues of authentication;
... minor ref (with pointer to the GGF pages &
presentation):
http://www.garlic.com/~lynn/2004g.html#53
with some comparison to x9.59
http://www.garlic.com/~lynn/index.html#x959
.... one of the business issues of public key infrastructures
is the dual-issue vulnerability of using digital signatures
for both authentication and signatures.
many of the authentication infrastructures have the
server sending the user some random data to be signed
as part of authentication (issues like replay attacks, etc);
which the user never looks at.
ignoring all the non-repudiation issues .... real signatures
are suppose to imply things like agreement, approval,
and/or authorization (of the contents of what is being
signed).
the dual-use vulnerability is ever having signed random
data ... w/o reading it .... and using the same technology
to sign documents where reading is implied (as well as
agreement, approval, authorization).
the scenario is somewhat out of MASH where Radar
is periodically having the col. sign documents w/o
having read them.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list