On Tue, Mar 12, 2013 at 06:31:56PM -0500, Kyle Maxwell wrote: > A. This doesn't eliminate phishing because users will still enter > their credentials at a site that doesn't actually match the one where > the cert was previously signed. Otherwise, existing HTTPS controls > would already protect them.
True, but phishing is not currently a solvable problem anyway; it falls into a class of problems that can't be solved no matter how much clever technology is developed because all of that technology presumes that end user systems are secure...annnnnd they're not. (Other problems in that class: spam, email forgery, DDoS.) A substantial percentage of end user systems are already compromised (in full or part) and more of them are being compromised while you're reading this. So unless this proposal or one like comes with a plan to remediate a few hundred million systems, it may be beautiful in theory, but it won't work in practice. In passing, let me note that banks and other financial institutions are aiding and abetting phishers by doing extremely stupid things like (a) sending email marked up with HTML (b) sending email with URLs (c) sending email with with web bugs (d) outsourcing their email. The irony is that while those entities are busy *training* their customers to be phished, they're constantly whining about how terribly awfully bad the situation is. There is insufficient scotch to dull the pain of that much stupid. ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
