And don't forget: The user discloses an authentication credential to a party that is not the intended one, permitting the attacker to impersonate them.
When people propose schemes that involve modifying the Web Server and the browser together, the scheme has the same deployment constraints as fixing the HTML password bug so that the password is not disclosed in the protocol. On Thu, Jan 19, 2012 at 11:19 PM, Daniel Kahn Gillmor <[email protected] > wrote: > On 01/19/2012 06:51 PM, Phillip Hallam-Baker wrote: > > The threat we should be interested in at this point is the following: > > > > * Bad thing happens to user of the Internet. > > If Paul's threat lineup was a too specific, Phillip's description here > strikes me as a tad overbroad. > > Given the name of the list and the context in which it was formed, it > seems that the concern is about identity management, particularly with > public key infrastructure in mind: > > * an attacker can convince a victim on the network that the attacker is > someone else. > > * the victim is likely to do or communicate things with that attacker > given their mistaken belief about the identity of the attacker. > > Public key infrastructure (in the general sense, not limited to PKIX and > X.509) has a goal of making sure that each party to a transaction can be > sure that the key of each other party belongs to the entity they think > it does. > > We're looking at various ways that this binding (knowing "the right key" > for each peer you communicate with) can fail, and what can be done to > avoid those failures. > > Hopefully, participants in this list will also be willing to examine the > social structures and incentives created by the various technical > proposals under discussion, since they're relevant to the resistance of > the scheme against various methods of impersonation. > > --dkg > > > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey > > -- Website: http://hallambaker.com/
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
