Steven M. Bellovin wrote: > There's another issue: initial account setup. [Even > with SRP] people will still need to rely on > certificate-checking for that. It's a real problem at > some hotspots, where Evil Twin attacks are easy and > lots of casual users are signing up for the first > time.
For banks and health care, initial account setup always involves out of band communication, so certificate checking not needed. We need to build our security mechanisms to fit characteristic human out of band security, rather than trying to force humans to imitate computers. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]