[OpenID] Phishing resistant policy of PAPE
Jack Cleaver
jack at jackpot.uk.net
Tue Oct 28 17:20:59 UTC 2008
Shishir wrote:
>
> So we recommend that "phishing-resistant authentication" be replaced
> with "man-in-the-middle-resistant authentication", defined as "An
> authentication mechanism that is immune to man-in-the-middle
> attacks."
Just a quibble (in case that phrasing is destined for normative
documentation):
"Resistant" does not mean the same as "Immune". Immunity to MITM attacks
is a strong claim, one that could be taken to the bank. "Resistant" is a
wishy-washy claim, unless qualified (e.g. "water-resistant to 20m"). I
have "stain-resistant" clothes that have stains. But a subject
exhibiting both immunity to influenza and an actual influenza infection
would be a remarkable case, forcing the rewriting of both medical and
logic textbooks.
--
Jack.
More information about the general
mailing list