I think that DoS attacks are going to be a major issue that any protocol in this space is going to have to cope with.
In particular attacks against the auth provider are going to require serious attention. I am less worried about auth providers attacking relying parties. The relying parties should soon learn not to connect to abusive auth providers. PKI is one of the tools we can use to help here. * The large auth providers are the ones most likely to be attacked, the small fry are probably not worth bothering with. * PKI should only be used to establish a framework of trust, after an initial bilateral key exchange using PKI the credentials can be cached for future use. Just so folk are straight here, VeriSign is not an exclusive provider of PKI based authentication, we have a large and growing symmetric key based product line. I am just as happy with the idea of managing a kerberos style key distribution based system as PKI, there are cases where that is the right approach. > -----Original Message----- > From: Robert Yates [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 08, 2006 10:25 AM > To: Digital Identity Exchange > Subject: Re: [dix] DIX in the extranet > > Hallam-Baker, Phillip wrote: > > >I don't think that the design is far enough advanced to know what > >authentication techniques are required, let alone to throw out an > >entire class of solutions. > > > > > I didn't mean to imply that we throw anything out, am just > asking if others think that there is a DoS vulnerability in > the current draft. > > Rob > > _______________________________________________ > dix mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/dix > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
