James A. Donald:
> > Certificate caching is not the problem that needs solving.
> > The problem is all this spam attempting to fool people into
> > logging in to fake BofA websites and fake e-gold websites,
> > to steal their passwords or credit card numbers

On 6 Jun 2003 at 15:04, Tim Dierks wrote:
> I don't think this problem is easier to solve (or at least I
> sure don't know how to solve it).

It is a hard problem with many well known solutions, none of
which have to my knowledge been implemented in HTTPS.  For
example one can use SPEKE, in which case setting up the account
involves sharing (or issuing) a password, but logging in to the
account does not require one to reveal the password to the site
where one is logging in.   In this case the fake website would
gain no useful information by luring the user to login to it.

The most HTTPS like solution would be to generate a keyfile
containing a self signed private key on one's computer, and
whenever one hit the website, it would do the HTTPS handshake
to log you in to that website's account for the public key
corresponding to your private key, however HTTPS does not seem
to directly support this model.   In this case the bogus web
site could log you in, but this would not leak any information
that would enable the operators of the bogus web site to login
to the real web site. 

         James A. Donald

Reply via email to