Re: [dix] Agenda bashing

To: "Haripriya S" <sharipriya at novell.com>
Subject: Re: [dix] Agenda bashing
From: Eric Rescorla <ekr at networkresonance.com>
Date: Tue, 04 Jul 2006 06:59:39 -0700
Cc: Digital Identity Exchange <dix at ietf.org>
In-reply-to: <44AA8C35.A648.00B6.0@novell.com> (Haripriya S.'s message of "Tue, 04 Jul 2006 04:11:40 -0600")
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <20060703172550.A182A222425@laser.networkresonance.com> <44A973DC.9040801@cisco.com> <44A973DC.9040801@cisco.com> <86zmfqa0au.fsf@raman.networkresonance.com> <44AA8C35.A648.00B6.0@novell.com>
Reply-to: EKR <ekr at networkresonance.com>, Digital Identity Exchange <dix at ietf.org>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

"Haripriya S" <sharipriya at novell.com> writes:

> pwdHash can address two problems: 
>  a. theft of the passwords from one website and using the same at other
> websites
>  b. theft of passwords for the target website by phishing
> But techniques like pwdHash cannot prevent phishing attacks where the
> phishing sites do not even validate the password from the user, but goes
> on to prompt and capture long-term credentials from the user like credit
> cards etc. As Eliot pointed out, in such cases it is the server which
> needs to be authenticated in a phish-proof way.

That's one way to look at it. Another is that this is just another
password and should be solved with the same approach.

-Ekr



_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- Re: [dix] Agenda bashing
  - From: Eric Rescorla
- Re: [dix] Agenda bashing
  - From: Eliot Lear
- Re: [dix] Agenda bashing
  - From: Eric Rescorla
- Re: [dix] Agenda bashing
  - From: Haripriya S

Prev by Date: Re: [dix] Agenda bashing
Next by Date: Re: [dix] Agenda bashing
Previous by thread: Re: [dix] Agenda bashing
Next by thread: Re: [dix] Agenda bashing
Index(es):
- Date
- Thread

Re: [dix] Agenda bashing

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.