Re: Symptoms vs. Causes

To: Eliot Lear <lear at cisco.com>
Subject: Re: Symptoms vs. Causes
From: Eric Rescorla <ekr at networkresonance.com>
Date: Wed, 12 Sep 2007 06:59:20 -0700
Cc: ietf at ietf.org
In-reply-to: <46E79C5D.7010103@cisco.com>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <tsl4pi13ptg.fsf@mit.edu> <Pine.LNX.4.33.0709111345110.3313-100000@egate.xpasc.com> <20070911234949.523D433C21@delta.rtfm.com> <46E79C5D.7010103@cisco.com>
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Wed, 12 Sep 2007 09:59:25 +0200,
Eliot Lear wrote:
> 
> [1  <text/plain; ISO-8859-1 (7bit)>]
> Eric Rescorla wrote:
> >> In the end 'phishing' is about UI and not protocols.
> >>     
> >
> > Quite so.
> >   
> 
> It's about both.  We can severely limit phishing through the use of 
> mutual authentication. 

This is one possible approach, but not the only one. In fact, it's
one of my principal objections to Sam's document, so I'll refer
you to my review here.

> The UI part is that whatever mutual 
> authentication you use has to be both mandatory AND easy to use.

And, of course, spoofing resistant, which is the major unsolved
problem.

>  The 
> IETF has a responsibility in as much as we need to provide the protocol 
> infrastructure that allows the UIs to be correct.

As I noted in my review, we already have a number of protocols which
potentially provide this functionality, including mutual authentication.

-Ekr

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: Symptoms vs. Causes
  - From: Eliot Lear

References:
- Re: Symptoms vs. Causes
  - From: Sam Hartman
- Re: Symptoms vs. Causes
  - From: David Morris
- Re: Symptoms vs. Causes
  - From: Eric Rescorla
- Re: Symptoms vs. Causes
  - From: Eliot Lear

Prev by Date: Re: Symptoms vs. Causes
Next by Date: Re: Symptoms vs. Causes
Previous by thread: RE: Symptoms vs. Causes
Next by thread: Re: Symptoms vs. Causes
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Symptoms vs. Causes

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.