On 10/18/12 11:45 PM, James A. Donald wrote: > On 2012-10-19 11:47 AM, Nico Williams wrote: >> Lack of client ID privacy protection can lead to some attacks such as >> password guesses based on the ID or knowledge of the person that ID is >> for. If you were working for a spy agency (say), you'd definitely >> want priv. prot. for the client ID! > > If the attacker knows the email address, can identify the user - who > is very likely using the same password for his porn account, etc. > Attacker intercepts porn account using firesheep, and ... he is in.
That problem isn't limited to use of email address as an identifier. People like to use the same identifiers (if they can get them), even if they're not email addresses, in multiple places. If you're concerned about identifier confidentiality or ability of sites to collude, you probably need to be thinking about protocols that have directed identity (unique identifier per site) properties. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
