[security] Gathering requirements for in-browser OpenID support
Joaquin Miller
joaquin at netmesh.us
Tue Oct 31 15:14:33 UTC 2006
It may help those doubters if we now briefly explain how EKE
accomplishes a) and b).
> > For the benefit of me and others reading this thread, can you briefly
> > explain how you would deploy EKE in a browser to defeat MitM ?
>
>By ensuring that the man in the middle:
>
>a) Ends up not in the possession of any authentication credentials
>
>b) Can neither understand nor usefully modify the conversation they
>are proxying.
I'm sure everyone understands how an authenticated public key
accomplishes a) and b), so there is no need to read on.
Cordially, Joaquin
a) The authentication credentials are encrypted with public keys, so
that only the intended recipient can decrypt* them.
b) The conversation is encrypted with public keys, or with a session
key exchanged using public keys, so that only the intended recipient
can understand* and only the sender can modify*.
* yeah, yeah: easily, soon enough to matter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061031/7a4607ab/attachment-0002.htm>
More information about the security
mailing list