[Ietf-http-auth] Pondering some issues on the phishing draft
christopher at pobox.com
Wed Oct 24 06:02:52 PDT 2007
The "game" was a test to see if you're interested in solving the
problem, or have a hidden agenda (networkresonance.com I'd guess?).
Yes - there's an elegant solution. The Unix/DOS MD5's of it are
below. If you add constructive contributions (aka - play the game),
I'll send an answer.
Meanwhile, others are invited to ask off-list for the solution, if they
Cookies do work. Everyone knows it; you - of all people - with CDT -
you know that. Adequate recovery is the same as any enrollment
problem, not that it's relevant 99.9% of the time (I already said
cookies aren't the answer btw.).
Wednesday, October 24, 2007, 10:03:06 PM, you wrote:
ER> At Wed, 24 Oct 2007 15:48:01 +1000,
ER> christopher at pobox.com wrote:
>> Hi Eric,
>> Cookies work, yes
ER> No, cookies don't work.
ER> The problem, as I said, is that any mechanism which relies on cookies
ER> needs a recovery mechanism in case the cookie gets lost. That recovery
ER> mechanism generally entails a bunch of challenge questions. But
ER> now those challenge questions themselves become a phishing target.
>> - so you answered your own question for 99.9% of use
>> cases (the remaining 0.1% being folks who regularly use machines they
>> can't store their cookies on). You also highlighted the drawbacks of
>> pwdhash - how does a user do anything on the theoretical "new device",
>> especially one like a phone or work PC that has no plugin or admin
>> Anyhow - while cookies work - that's still boringly "inside the box"
>> and assuming far too much. Here's the MD5s of my next reply to you:
>> 1134102756cd5c895709aeb9d821b4da 82b4f03e38fc086ade8d35a4a743c7b9
>> Have a go at lateral-thinking, jump outside the box, and let me know
>> what better ideas you can come up with besides cookies. Hint:
>> challenge *all* your assumptions :-)
ER> How about instead we skip the game playing and you describe what
ER> you have in mind?
More information about the Ietf-http-auth