> From: Eric Rescorla [mailto:[EMAIL PROTECTED]
> That's *one* way to attack phishing (at least the current form).
> There are others (cf. PwdHash)
There are three basic approaches to defeat phishing.
Phishing is an ATTACK where SOCIAL ENGINEERING designed to STEAL CREDENTIALS
1) Defeat the infrastructure of a specific attack
Here we have takedown services such as the VeriSign Anti-Phishing
solution, filtering of the phishing spam, blocking known phishing capture
sites, Fraud detection services &ct.
2) Defeat the social engineering attack using strong outbound authentication
This is the principle purpose of Secure Internet Letterhead: Use the
PKIX logotype extension in an EV X.509 certificate to provide a trustworthy
proof of legitimate use of the subject brand. Letterhead may be used in
conjunction with DKIM or S/MIME to provide trustworthy proof of origin in the
email channel or with SSL to provide trustworthy proof of origin in the Web.
3) Defeat the theft of the credentials by making the credentials theft
resistant.
The OATH consortium is working to provide an open, unencumbered
standard for strong authentication whether OTP or PKI based. The algorithms for
the OTP version have already been issued as informational RFCs. Other necessary
infrastructure is being built out.
WAE does not fit into 1 or 2 and it does not directly address 3.
Where WAE fits in is that it facilitates the infrastructure changes necessary
to make widespread deployment of #3 solutions possible.
With WAE I can in theory go down to Frys, buy a token and then use it to secure
access to my bank account without the bank needing to support my specific token
technology. All they need to know is that I am using something better than
username and password and that the authentication service provider will provide
an acceptable SLA.
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
