RE: [dix] Agenda bashing

To: "Digital Identity Exchange" <dix at ietf.org>
Subject: RE: [dix] Agenda bashing
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Date: Mon, 3 Jul 2006 10:52:12 -0700
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
Reply-to: Digital Identity Exchange <dix at ietf.org>
Thread-index: AcaexJ1BAxpaNlj3QRKhpvFYkJkAfgAAO7yA
Thread-topic: [dix] Agenda bashing

> From: Eric Rescorla [mailto:ekr at networkresonance.com] 

> That's *one* way to attack phishing (at least the current form).
> There are others (cf. PwdHash)

There are three basic approaches to defeat phishing.

Phishing is an ATTACK where SOCIAL ENGINEERING designed to STEAL CREDENTIALS


1) Defeat the infrastructure of a specific attack
	Here we have takedown services such as the VeriSign Anti-Phishing solution, filtering of the phishing spam, blocking known phishing capture sites, Fraud detection services &ct.

2) Defeat the social engineering attack using strong outbound authentication
	This is the principle purpose of Secure Internet Letterhead: Use the PKIX logotype extension in an EV X.509 certificate to provide a trustworthy proof of legitimate use of the subject brand. Letterhead may be used in conjunction with DKIM or S/MIME to provide trustworthy proof of origin in the email channel or with SSL to provide trustworthy proof of origin in the Web.

3) Defeat the theft of the credentials by making the credentials theft resistant.
	The OATH consortium is working to provide an open, unencumbered standard for strong authentication whether OTP or PKI based. The algorithms for the OTP version have already been issued as informational RFCs. Other necessary infrastructure is being built out.


WAE does not fit into 1 or 2 and it does not directly address 3. 

Where WAE fits in is that it facilitates the infrastructure changes necessary to make widespread deployment of #3 solutions possible. 

With WAE I can in theory go down to Frys, buy a token and then use it to secure access to my bank account without the bank needing to support my specific token technology. All they need to know is that I am using something better than username and password and that the authentication service provider will provide an acceptable SLA.

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Follow-Ups:
- Re: [dix] Agenda bashing
  - From: Eric Rescorla

Prev by Date: Re: [dix] Agenda bashing
Next by Date: Re: [dix] Agenda bashing
Previous by thread: Re: [dix] Agenda bashing
Next by thread: Re: [dix] Agenda bashing
Index(es):
- Date
- Thread

RE: [dix] Agenda bashing

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.