Failure of PKI in messaging
James A. Donald
jamesd at echeque.com
Thu Feb 15 23:51:32 EST 2007
--
> > My proposal closes off the major attack path
John Levine wrote:
> It doesn't do anything about the obvious attack path
> of phishing credentials from the users to stick bogus
> trusted entries into their accounts.
Actually it does. Think about it.
> My examples showed all sorts of benign looking
> situations in which users provide their credentials to
> parties of unknown identity or reliability.
I don't see that your examples have any relevance to my
proposals. The word "credential" is nowhere mentioned
or relevant, nor is providing one's credentials to
criminals a problem unless one's crediential is in fact
a shared secret, such as a credit card number. So we
should not use shared secrets any more - that is a given
for any and all serious proposals.
Your criticism is not a criticism of my proposal, it is
a criticism of using the same password all over the net.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
hyNNu45kHRCn/6vEXQhYdbU/w1YW4J/TF8BDsJz0
495s+VYSd3RjDiopACgr9JccOdvE7cTtQV6xgA8sK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list