Re: [dix] Agenda bashing

To: Digital Identity Exchange <dix at ietf.org>
Subject: Re: [dix] Agenda bashing
From: Eliot Lear <lear at cisco.com>
Date: Mon, 03 Jul 2006 21:45:32 +0200
Authentication-results: sj-dkim-2.cisco.com; header.From=lear@cisco.com; dkim=pass ( sig from cisco.com verified; );
Dkim-signature: a=rsa-sha1; q=dns; l=1199; t=1151955935; x=1152819935; c=relaxed/simple; s=sjdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=lear@cisco.com; z=From:Eliot=20Lear=20<lear@cisco.com> |Subject:Re=3A=20[dix]=20Agenda=20bashing; X=v=3Dcisco.com=3B=20h=3D6inNqoEUmFyA1l2ZAW91r5N7nQI=3D; b=qDQJgJGd6ALb0U2KZO1YENTPTHL88f9EZl4ZBxrUvi1ENHzRSaqyKo9cpj+yJZrDXc1ecHLg mSDZuDUyKDsbcCFcvYl1LrZRzcm9HRMbIrekMxpvCZl6vs/EO8uylSNI;
In-reply-to: <20060703172550.A182A222425@laser.networkresonance.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <20060703172550.A182A222425@laser.networkresonance.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>
User-agent: Thunderbird 1.5.0.4 (Macintosh/20060530)

Eric Rescorla wrote:
> Eliot Lear <lear at cisco.com> wrote:
>   
>> Pete,
>>     
>>> So, from the conversation so far, these are the architectural/protocol
>>> issues I think need discussing at the BOF:
>>>
>>> - Discussion of the scope and number of the mechanisms. There seem to
>>> be desires for (1) the ability for the user to identify to the server
>>> (probably authenticating, preventing phishing as much as possible),
>>> (2) the ability to transfer user attributes to the server, (3) the
>>> ability to store user attributes remotely, and (4) the ability for a
>>> 3rd-party to warrant user attribute claims.
>>>       
>> On point (1) in order to fix phishing it is the server that must
>> properly authenticate to the user (e.g., other way round).
>>     
>
> That's *one* way to attack phishing (at least the current form).
> There are others (cf. PwdHash)
>   

I'm sorry, but PwdHash is not enough of a reference for me to
understand, but I claim that the most *effective* way to prevent
phishing is to demand that the server prove its identity enough to know
the right question to ask of the client.  If PwdHash covers this ground,
then we agree.

Eliot

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Follow-Ups:
- Re: [dix] Agenda bashing
  - From: Eric Rescorla

References:
- Re: [dix] Agenda bashing
  - From: Eric Rescorla

Prev by Date: Re: [dix] Agenda bashing
Next by Date: Re: [dix] Agenda bashing
Previous by thread: Re: [dix] Agenda bashing
Next by thread: Re: [dix] Agenda bashing
Index(es):
- Date
- Thread

Re: [dix] Agenda bashing

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.