Kim Goldenberg wrote:
however, you now have a passkey of a picture and a description the you
provide and you are required to confirm they match when you log on; kind
of like saying are you really ______?
Not *MY* choice, but theirs.
this is not for them to authenticate you ... this is supposedly allowing you to
authenticate
them (aka can they present the correct information you previously provided)
i.e. this supposedly is countermeasure to website impersonation (being used for
phishing and identity theft). however when this was first being discussed ...
the issue of man-in-the-middle attacks was raised ... lots of past posts about
real-time man-in-the-middle attacks
http://www.garlic.com/~lynn/subintegrity.html#mitm
there has been some amount in the news recently about such website MITM exploits showing up
(aka the additional website authentication processes aren't actually provide end-to-end authentication
and integrity ... and a fraudulent website can still get in the middle ...
transparently forwarding information in either direction as needed).
the issue somewhat "is how do you know that the website that you think you are
talking to is really the website you are talking to". this was supposedly one of the
vulnerabilities that SSL was suppose to address ... however, there are some number of
operational and/or infrastructure vulnerabilities involving SSL that result in not
actually achieving the desired goal (which has somewhat given rise to various of this
additional countermeasures). recent posts discussing issues about whether the
website you thing you are talking to is really the website you are talking to
http://www.garlic.com/~lynn/aadsm26.htm#1 Extended Validation - setting the
minimum liability, the CA trap, the market in browser governance
http://www.garlic.com/~lynn/2006d.html#29 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006s.html#11 Why not 2048 or 4096 bit RSA key
issuance?
http://www.garlic.com/~lynn/2007.html#7 SSL info
collected past posts mentioning SSL
http://www.garlic.com/~lynn/subpubkey.html#sslcert
some number of past posts discussing infrastructure and process issues with
SSL-based domain name certificate infrastructure
http://www.garlic.com/~lynn/subpubkey.html#catch22
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
