[79547] in cryptography@c2.net mail archive
Re: Failure of PKI in messaging
daemon@ATHENA.MIT.EDU (John Levine)
Fri Feb 16 09:51:36 2007
Date: 16 Feb 2007 03:12:11 -0000
From: John Levine <johnl@iecc.com>
To: cryptography@metzdowd.com
In-Reply-To: <45D51477.7070808@echeque.com>
Cc: jamesd@echeque.com
> >> Suppose we have a messaging service that, like Yahoo,
> >> is also a single signon service, ...
>
> John Levine wrote:
> > Then you just change the attack model.
>My proposal closes off the major attack path, and leaves the trojan
>and virus attack path wide open.
It doesn't do anything about the obvious attack path of phishing
credentials from the users to stick bogus trusted entries into their
accounts. My examples showed all sorts of benign looking situations
in which users provide their credentials to parties of unknown
identity or reliability.
R's,
John
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
