Re: [dix] Agenda bashing

[Eric Rescorla <ekr at networkresonance.com>]

Eliot Lear <lear at cisco.com> writes:

> Eric Rescorla wrote:
>> That's *one* way to attack phishing (at least the current form).
>> There are others (cf. PwdHash)
>>   
>
> I'm sorry, but PwdHash is not enough of a reference for me to
> understand,

http://crypto.stanford.edu/PwdHash/

It's the first hit in Google, FWIW.


> but I claim that the most *effective* way to prevent
> phishing is to demand that the server prove its identity enough to know
> the right question to ask of the client.  If PwdHash covers this ground,
> then we agree.

It doesn't. It uses an entirely different technique.

I don't think it's profitable to argue about what "most effective"
is, but I don't agree that the mechanism you describe is the only
one.

-Ekr



_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix