Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Sam Hartman <hartmans-ietf <at> mit.edu>
Subject: Re: Updated phishing requirements draft
Newsgroups: gmane.ietf.dix
Date: Thursday 29th June 2006 17:33:49 UTC (over 11 years ago)
>>>>> "Eliot" == Eliot Lear  writes:

    Eliot> Perhaps I'm not well enough versed to understand why this would
be the
    Eliot> case, unless the other end can prove itself in some meaningful
way in
    Eliot> the next phase that the user would actually understand.  And
even then
    Eliot> I'm not sure that solves MITM.


It can be made to solve MITM.

My argument is that there are a number of cases where the other end can
prove its identity in a sufficiently meaningful way at a higher level.


If it knows the same secret as I do, then it's one of the people who
knows that secret.  If only two people know the secret and I'm one of
them, well I probably know who it is.  If the other end then tells me
the name of its cert, I check that name and confirm I trust the CA,
then I have met the requirements of 4.5.

    >> I think it is quite possible to accomplish 4.5 in the case
    >> where you have an existing relationship with a site based on
    >> shared secrets.
    >> 
    Eliot> Section 4.6 assumes that there is a third party identity
provider.  This
    Eliot> needn't be the case, but if it is, it is sufficient to have a
name, a
    Eliot> nonce, and a public/private key pair, is it not?
    >> 

All this is true.
I don't see how it has anything to do with 4.6.
 
CD: 4ms