[security] Gathering requirements for in-browser OpenID support
James A. Donald
jamesd at echeque.com
Tue Oct 31 23:09:13 UTC 2006
>> > For the benefit of me and others reading this thread, can you briefly
>> > explain how you would deploy EKE in a browser to defeat MitM ?
>> By ensuring that the man in the middle:
>>
>> a) Ends up not in the possession of any authentication credentials
>>
>> b) Can neither understand nor usefully modify the conversation they
>> are proxying.
Joaquin Miller wrote:
> I'm sure everyone understands how an authenticated public key
> accomplishes a) and b), so there is no need to read on.
EKE does not use authenticated public keys.
More information about the security
mailing list