On 03/21/2013 09:02 PM, Rich Kulawiec wrote:
True, but phishing is not currently a solvable problem anyway; it falls
into a class of problems that can't be solved no matter how much clever
technology is developed because all of that technology presumes that
end user systems are secure...and
On Tue, Mar 12, 2013 at 06:31:56PM -0500, Kyle Maxwell wrote:
> A. This doesn't eliminate phishing because users will still enter
> their credentials at a site that doesn't actually match the one where
> the cert was previously signed. Otherwise, existing HTTPS controls
> would already protect them
On 03/13/2013 08:33 AM, Petter Ericson wrote:
Kyle:
A. This doesn't eliminate phishing because users will still enter
their credentials at a site that doesn't actually match the one where
the cert was previously signed. Otherwise, existing HTTPS controls
would already protect them.
Not speak
Thanks for bringing up these points.
On 03/13/2013 01:53 AM, Steve Weis wrote:
At its core of this proposal, sites run their own CAs and users
install site-specific client-side certificates. Many organizations
have been doing this for years. For example, MIT:
http://ist.mit.edu/certificates .
Thank you for your concerns,
I think I have the issues you mention covered in the 'protocol'
On 03/13/2013 12:31 AM, Kyle Maxwell wrote:
I appreciate the intention, but I see a lot of problems here. Without
doing an exhaustive analysis:
A. This doesn't eliminate phishing because users will st
Well, given that protocol uses essentially now new tech (apart from the
message bit, which to me looks a bit superfluous), it should require
relatively little time to implement properly.
Furthermore, there are various parts of the protocol that are Good
Ideas, independently of the other parts - ha
At its core of this proposal, sites run their own CAs and users install
site-specific client-side certificates. Many organizations have been doing
this for years. For example, MIT: http://ist.mit.edu/certificates .
I like client certificates as an additional factor in general, but user
enrollment
I appreciate the intention, but I see a lot of problems here. Without
doing an exhaustive analysis:
A. This doesn't eliminate phishing because users will still enter
their credentials at a site that doesn't actually match the one where
the cert was previously signed. Otherwise, existing HTTPS cont
Ladies and Gentlemen,
I've long disliked the direction the internet headed with regards to
privacy. Or it's total disregard of it.
I've come up with a novel architecture of existing old and recent
cryptographic tools that offers a substantial improvement in security
and privacy. I call it E