Failure of PKI in messaging

James A. Donald jamesd at
Thu Feb 15 23:51:32 EST 2007

 > > My proposal closes off the major attack path

John Levine wrote:
 > It doesn't do anything about the obvious attack path
 > of phishing credentials from the users to stick bogus
 > trusted entries into their accounts.

Actually it does.  Think about it.

 > My examples showed all sorts of benign looking
 > situations in which users provide their credentials to
 > parties of unknown identity or reliability.

I don't see that your examples have any relevance to my
proposals.  The word "credential" is nowhere mentioned
or relevant,  nor is providing one's credentials to
criminals a problem unless one's crediential is in fact
a shared secret, such as a credit card number.  So we
should not use shared secrets any more - that is a given
for any and all serious proposals.

Your criticism is not a criticism of my proposal, it is
a criticism of using the same password all over the net.

          James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list