Another entry in the internet security hall of shame....
James A. Donald
jamesd at echeque.com
Mon Aug 29 21:35:52 EDT 2005
--
From: pgut001 at cs.auckland.ac.nz (Peter
Gutmann)
> TLS-PSK fixes this problem by providing mutual
> authentication of client and server as part of the key
> exchange. Both sides demonstrate proof-of- possession
> of the password (without actually communicating the
> password), if either side fails to do this then the
> TLS handshake fails. Its only downside is that it
> isn't widely supported yet, it's only just been added
> to OpenSSL, and who knows when it'll appear in
> Windows/MSIE, Mozilla, Konqueror, Safari,
This will take out 90% of phishing spam, when widely
adopted.
We also need support for measures of key persistance,
like trustbar, but there seems to be lot of resistance
to this, for no reason I understand.
In its current incarnation, trustbar takes up too damn
much real estate, and requires too much manual support.
We need a less obtrusive key persistance measure.
Petname is less obstrusive, and requires less manual
support, but still too much. The trustbar logos are the
way to go, and logos of about that size are becoming a
standard feature of web pages. If it could look as cool
as trustbar, while needing even less manual intervention
Petname ....
Also petnames need to be linked to favorites. When you
are on a site that is on your favorites list, you should
see that it is on your favorites list.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
/RwA4zRnu4D2L0mSgGcsMv2Z3UGRcRDZnsqwkzh0
4QVXdCrfQfW0WLkPqTvEk16BxjqokNWgRWZOOTahd
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list