Re: [dix] Agenda bashing

[thayes0993 at aol.com]

I believe that PwdHash does rely on a certain level of proof of the 
server's identity.  The browser needs to decide that
the domain name that the server is presenting actually belongs to it.  
This is usually done by relying on SSL/TLS.
If the false server can convince the browser that it is in fact the 
targeted domain, then the browser will happily
transmit the full credential (H(password, domain)) to the server.

PwdHash does NOT require that the proved domain match anything the user 
has in mind.  That is, the identity
does not need to be presented to the user, or compared against anything 
the user is doing. This seems to be the
primary problem in phishing attacks (the last foot).  That's where the 
real advantage of techniques like PwdHash are.

Terry

-----Original Message-----
From: Eric Rescorla <ekr at networkresonance.com>
To: Digital Identity Exchange <dix at ietf.org>
Sent: Mon, 3 Jul 2006 13:41:29 -0700
Subject: Re: [dix] Agenda bashing

 Eliot Lear <lear at cisco.com> writes:

> but I claim that the most *effective* way to prevent
> phishing is to demand that the server prove its identity enough to 
know
> the right question to ask of the client.  If PwdHash covers this 
ground,
> then we agree.

It doesn't. It uses an entirely different technique.



_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix


________________________________________________________________________
Check out AOL.com today. Breaking news, video search, pictures, email 
and IM. All on demand. Always Free.


_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix