Steven M. Bellovin wrote:
> There's another issue: initial account setup.  [Even
> with SRP] people will still need to rely on
> certificate-checking for that.  It's a real problem at
> some hotspots, where Evil Twin attacks are easy and
> lots of casual users are signing up for the first
> time.

For banks and health care, initial account setup always
involves out of band communication, so certificate
checking not needed.

We need to build our security mechanisms to fit
characteristic human out of band security, rather than
trying to force humans to imitate computers.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to