[79549] in cryptography@c2.net mail archive
Re: Failure of PKI in messaging
daemon@ATHENA.MIT.EDU (James A. Donald)
Fri Feb 16 09:54:15 2007
Date: Fri, 16 Feb 2007 14:51:32 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <20070216031211.40350.qmail@simone.iecc.com>
--
> > My proposal closes off the major attack path
John Levine wrote:
> It doesn't do anything about the obvious attack path
> of phishing credentials from the users to stick bogus
> trusted entries into their accounts.
Actually it does. Think about it.
> My examples showed all sorts of benign looking
> situations in which users provide their credentials to
> parties of unknown identity or reliability.
I don't see that your examples have any relevance to my
proposals. The word "credential" is nowhere mentioned
or relevant, nor is providing one's credentials to
criminals a problem unless one's crediential is in fact
a shared secret, such as a credit card number. So we
should not use shared secrets any more - that is a given
for any and all serious proposals.
Your criticism is not a criticism of my proposal, it is
a criticism of using the same password all over the net.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
hyNNu45kHRCn/6vEXQhYdbU/w1YW4J/TF8BDsJz0
495s+VYSd3RjDiopACgr9JccOdvE7cTtQV6xgA8sK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
