[Cryptography] Toxic Combination

Benjamin Kreuter brk7bx at virginia.edu
Wed Dec 3 17:31:06 EST 2014

On Wed, 2014-12-03 at 17:56 +0000, Ben Laurie wrote:

> And it has to be secure - which includes "not allow credential theft _even
> by the site operator_".

It also needs to be secure against forwarding, since a phishing site
might simultaneously communicate with you and with the real site e.g.
forwarding (possibly modified) messages between you and the site.  That
is a complicated way to say that we need non-malleable identification.
The good news is that we know how to make NM zero-knowledge
identification protocols; the bad news is that we have yet to deploy
such things, and that is the harder problem (IMO).

> BTW, its not clear to me how either of these would remove the need for
> something with a CA-like role.

I do not think a CA of any kind is needed for identification.  A
phishing site should not be any different from a non-phishing site that
was hacked.  It makes no difference who I identify myself to if it is
not possible to impersonate me.

Of course there is more to most applications than just identifying
yourself, so CAs might still be needed in real applications.  The point
is that we do not need to rely on CAs to securely authenticate users.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141203/7b48006e/attachment.sig>

More information about the cryptography mailing list