On Mon, Jun 26, 2006 at 12:00:52PM -0700, Eric Rescorla wrote: > Mark Nottingham <[EMAIL PROTECTED]> writes: > > > On 2006/06/23, at 3:29 PM, Eric Rescorla wrote: > >> Part of the problem is that the user and the software have > >> a different view of the RP's identity. The software knows that > >> C1tibank and Citibank are different, but the user does not. > > > > Fair enough. > > > > Would it be correct to say that HTTP Digest Auth has this property > > alreadly (because A2 includes the digest-uri-value)? There are other > > attacks that can be made against Digest, of course (e.g., dictionary > > against weak passwords), but it's interesting to think of it as > > having anti-phishing properties. > > I'm not 100% sure. IIRC, the digest-uri-value is only the > path portion, i.e., > > /example/example.html
digest-uri-value just matches the Request-URI, so it depends on whether the client is using a proxy or not - HTTP/1.1 clients will typically use an absoluteURI in the Request-URI iff configured to use a proxy (and not tunnelling using CONNECT); otherwise they use the abs_path. joe _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
