Eric Rescorla wrote: > Well, you could clearly use PwdHash this way. In fact, that's how > your industry standard challenge-response token works. But it doesn't > really help because you don't have HRA against an attacker who > controls the victim's computer. So, they don't capture your > authentication string but they capture the immediately following > session. >
PwdHash as an algorithm doesn't protect you from a host computer compromise. For that you need architectural separation, which is why smart cards etc exist. It remains up to the end server as to what transactions might require additional authentication. So for instance, a bank may choose to authenticate on new payees for online billing or for particularly large transactions. Or not. Eliot _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
