[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

To: "Mark Nottingham" <mnot at yahoo-inc.com>
Subject: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
From: "Robert Sayre" <sayrer at gmail.com>
Date: Fri, 23 Jun 2006 18:30:04 -0400
Cc: dix at ietf.org, ietf-http-auth at lists.osafoundation.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Fh2SxnRl6+QMFPNSha2X/ayUavTt6BKKCbTZOLVnaR30GQOcQH2hiBECqZzsY2NLWuSvwiISiw6RJr4pOquV3FWWG3hCRrHfJQph44h2lBJ+hGrhxrnPfckcNxgxtLp3e/Tg9aQAGWQ3jvweMz+n4ydal3xbUE+M59mcDnTY8NU=
In-reply-to: <10123324-6DF8-4DF9-B9FC-0E3BE0FF363D@yahoo-inc.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <20060619220742.40B85222427@laser.networkresonance.com> <10123324-6DF8-4DF9-B9FC-0E3BE0FF363D@yahoo-inc.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>

On 6/23/06, Mark Nottingham <mnot at yahoo-inc.com> wrote:


On 2006/06/19, at 2:59 PM, Eric Rescorla wrote:

1. Capture-Resistant Credentials (CRC)


This is a bit confusing; to me (disclaimer -- I'm just a layman, not a
security expert), phishing is based on confusing the user about the RP's
identity, not reusing credentials from RP X with RP Y. Of course, if you
enable Common User Credentials, phishing will be possible in this manner.


FWIW, I took this mean that the attacker is able to reuse your
credentials on the site being impersonated. For example, Basic+TLS
requests give up your plain text password to chase.com if you are
tricked into sending them to evil-chase.com.

--

Robert Sayre

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

ot architectural ones. However, keep in mind that the answers you give have serious architectural implications.)

pr
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- [dix] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Mark Nottingham

Prev by Date: [dix] BOF plans (Was: Notes on Web authentication enhancements)
Next by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Previous by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Index(es):
- Date
- Thread

[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.