Eric Rescorla wrote: > Eliot Lear <[EMAIL PROTECTED]> wrote: > >> Pete, >> >>> So, from the conversation so far, these are the architectural/protocol >>> issues I think need discussing at the BOF: >>> >>> - Discussion of the scope and number of the mechanisms. There seem to >>> be desires for (1) the ability for the user to identify to the server >>> (probably authenticating, preventing phishing as much as possible), >>> (2) the ability to transfer user attributes to the server, (3) the >>> ability to store user attributes remotely, and (4) the ability for a >>> 3rd-party to warrant user attribute claims. >>> >> On point (1) in order to fix phishing it is the server that must >> properly authenticate to the user (e.g., other way round). >> > > That's *one* way to attack phishing (at least the current form). > There are others (cf. PwdHash) >
I'm sorry, but PwdHash is not enough of a reference for me to understand, but I claim that the most *effective* way to prevent phishing is to demand that the server prove its identity enough to know the right question to ask of the client. If PwdHash covers this ground, then we agree. Eliot _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
