Re: [dix] Agenda bashing

[Eric Rescorla <ekr at networkresonance.com>]

Eliot Lear <lear at cisco.com> wrote:
> Pete,
> > So, from the conversation so far, these are the architectural/protocol
> > issues I think need discussing at the BOF:
> >
> > - Discussion of the scope and number of the mechanisms. There seem to
> > be desires for (1) the ability for the user to identify to the server
> > (probably authenticating, preventing phishing as much as possible),
> > (2) the ability to transfer user attributes to the server, (3) the
> > ability to store user attributes remotely, and (4) the ability for a
> > 3rd-party to warrant user attribute claims.
> 
> On point (1) in order to fix phishing it is the server that must
> properly authenticate to the user (e.g., other way round).

That's *one* way to attack phishing (at least the current form).
There are others (cf. PwdHash)

-Ekr
 


_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix