[EMAIL PROTECTED] writes: > I believe that PwdHash does rely on a certain level of proof of the > server's identity. The browser needs to decide that > the domain name that the server is presenting actually belongs to it. > This is usually done by relying on SSL/TLS. > If the false server can convince the browser that it is in fact the > targeted domain, then the browser will happily > transmit the full credential (H(password, domain)) to the server. > > PwdHash does NOT require that the proved domain match anything the > user has in mind. That is, the identity > does not need to be presented to the user, or compared against > anything the user is doing. This seems to be the > primary problem in phishing attacks (the last foot). That's where the > real advantage of techniques like PwdHash are.
I think this is a fair summary. -Ekr > -----Original Message----- > From: Eric Rescorla <[EMAIL PROTECTED]> > To: Digital Identity Exchange <[email protected]> > Sent: Mon, 3 Jul 2006 13:41:29 -0700 > Subject: Re: [dix] Agenda bashing > > Eliot Lear <[EMAIL PROTECTED]> writes: > >> but I claim that the most *effective* way to prevent >> phishing is to demand that the server prove its identity enough to > know >> the right question to ask of the client. If PwdHash covers this > ground, >> then we agree. > > It doesn't. It uses an entirely different technique. > > > > _______________________________________________ > dix mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/dix > > > ________________________________________________________________________ > Check out AOL.com today. Breaking news, video search, pictures, email > and IM. All on demand. Always Free. _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
