On 6/23/06, Mark Nottingham <[EMAIL PROTECTED]> wrote:
On 2006/06/19, at 2:59 PM, Eric Rescorla wrote:
1. Capture-Resistant Credentials (CRC)
This is a bit confusing; to me (disclaimer -- I'm just a layman, not a
security expert), phishing is based on confusing the user about the RP's
identity, not reusing credentials from RP X with RP Y. Of course, if you
enable Common User Credentials, phishing will be possible in this manner.
FWIW, I took this mean that the attacker is able to reuse your
credentials on the site being impersonated. For example, Basic+TLS
requests give up your plain text password to chase.com if you are
tricked into sending them to evil-chase.com.
--
Robert Sayre
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
