Mark Nottingham <[EMAIL PROTECTED]> writes:
> On 2006/06/23, at 3:29 PM, Eric Rescorla wrote:
>> Part of the problem is that the user and the software have
>> a different view of the RP's identity. The software knows that
>> C1tibank and Citibank are different, but the user does not.
>
> Fair enough.
>
> Would it be correct to say that HTTP Digest Auth has this property
> alreadly (because A2 includes the digest-uri-value)? There are other
> attacks that can be made against Digest, of course (e.g., dictionary
> against weak passwords), but it's interesting to think of it as
> having anti-phishing properties.
I'm not 100% sure. IIRC, the digest-uri-value is only the
path portion, i.e.,
/example/example.html
rather than
http://www.example.com/example/example.html
But I could totally be wrong on this.
-Ekr
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
