>>>>> "Eliot" == Eliot Lear <[EMAIL PROTECTED]> writes:
Eliot> Perhaps I'm not well enough versed to understand why this would be
the
Eliot> case, unless the other end can prove itself in some meaningful way in
Eliot> the next phase that the user would actually understand. And even
then
Eliot> I'm not sure that solves MITM.
It can be made to solve MITM.
My argument is that there are a number of cases where the other end can prove
its identity in a sufficiently meaningful way at a higher level.
If it knows the same secret as I do, then it's one of the people who
knows that secret. If only two people know the secret and I'm one of
them, well I probably know who it is. If the other end then tells me
the name of its cert, I check that name and confirm I trust the CA,
then I have met the requirements of 4.5.
>> I think it is quite possible to accomplish 4.5 in the case
>> where you have an existing relationship with a site based on
>> shared secrets.
>>
Eliot> Section 4.6 assumes that there is a third party identity provider.
This
Eliot> needn't be the case, but if it is, it is sufficient to have a name, a
Eliot> nonce, and a public/private key pair, is it not?
>>
All this is true.
I don't see how it has anything to do with 4.6.
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
