Re: [cap-talk] Firefox breaks the principle of identifiability
Tyler Close
list at waterken.net
Tue Feb 8 14:08:01 EST 2005
On Feb 8, 2005, at 10:34 AM, Ian G wrote:
> list at waterken.net wrote:
>> On Feb 7, 2005, at 8:43 PM, Ben Laurie wrote:
>>> The Shmoo example does not demonstrate anything about PKI (though it
>>> is true that the particular CA chosen doesn't tell you much about
>>> who bought the certificate, which would strike me as a fairly
>>> effective prevention of the attack - the CA was, however, chosen
>>> for cheapness, not usefulness).
>>
>> So you view the Shmoo example [1] as a showcase of the PKI providing
>> effective prevention against a phishing attack?
>
> No. Shmoo doesn't say anything about phishing
> that hasn't already been said before.
Just to be clear, what do you think Shmoo says about phishing?
> And it doesn't say anything that I can see about PKI.
Pardon my deliberateness here, but I am just stunned.
It is your position that the Shmoo https link which spoofs the
paypal.com site is not an attack on the use of PKI on the WWW?
> And PKI doesn't cover phishing.
In your worldview, is phishing an attack against server authentication
on the WWW? Are you saying that PKI is not expected to provide server
authentication on the WWW?
Tyler
---
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
More information about the cap-talk
mailing list