On 7/10/07, Martin Langhoff <[EMAIL PROTECTED]> wrote: > On 7/10/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > The blind trust in the relying party is more of a concern to me: > > http://www.links.org/?p=187. > > Good point -- that's even easier than hacking the DNS. A bit of a > spoof IDP site and done. And those "shared secrets" between the IDP > and the user can be proxied through to the user as the IDP cannot know > that the user is legitimate. All I've seen so far are phrases and > images -- both look pretty, and useless. > > So we have > > - Blind trust in the relying party > - DNS weaknesses -- fixed by the PKI in HTTPS -- will the laptops > shipped to a school have loaded the school server's PKs? Or trust a > big OLPC-signing-cert-in-the-sky? > - A comment in your blog mentions MITM attacks against > Diffie-Helmann. I'm not versed enough in the matter to judge the > actual risk here. Google led me to > http://www.itillious.com/insight/articles/maninmiddle.html
So, D-H is trivially MitMable. AFAIK, all known defences are patented, sadly. > > cheers, > > > martin > _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
